CVE-2021-39226
Published: 05 October 2021
Summary
CVE-2021-39226 is a critical-severity Improper Authentication (CWE-287) vulnerability in Grafana Grafana. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Deeper analysis
Grafana is an open source data visualization platform affected by improper authentication and authorization flaws (CWE-287 and CWE-862) that allow access to snapshot resources. In vulnerable versions, both unauthenticated and authenticated users can retrieve the snapshot possessing the lowest database key by directly requesting the paths /dashboard/snapshot/:key or /api/snapshots/:key. When the snapshot public_mode setting is enabled, unauthenticated users can additionally delete that snapshot via /api/snapshots-delete/:deleteKey, while authenticated users can perform the same deletion regardless of the setting.
An attacker can therefore enumerate and exfiltrate snapshot contents by repeatedly accessing the lowest-key resource, then delete each snapshot after retrieval, resulting in complete loss of snapshot data while traversing the entire collection. The vulnerability carries a CVSS 3.1 score of 9.8 and requires no privileges or user interaction.
Official advisories and patches state that the issue is resolved in Grafana 8.1.6 and 7.5.11. Organizations unable to upgrade immediately are advised to deploy a reverse proxy or equivalent control to block the literal paths /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key, which have no required operational function.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-2169
Vulnerability details
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting…
more
is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on snapshot endpoints so that only permitted users can view or delete /api/snapshots/:key and related paths.
Requires disabling the non-essential snapshot view/delete paths that have no operational purpose and are the sole attack surface.
Boundary-protection devices (reverse proxy) can be configured to block the literal vulnerable URIs when patching is not immediately possible.