SUBJECT: CVE-2021-39226 Grafana Authentication Bypass Vulnerability
TECH STACK: Grafana versions 7.2.0 to 7.5.5
DATE(S) ISSUED: 10/05/2021
CVE-2021-39226 is an authentication bypass vulnerability that exists in Grafana, an open-source platform for analytics and monitoring. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the Grafana platform. This can be done by sending a specially crafted HTTP request to the Grafana server.
The vulnerability affects Grafana versions 7.2.0 to 7.5.5.
NIST Description: Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
CISA has added CVE-2021-39226 to its Known Exploited Vulnerabilities Catalog, based
on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
Base Score: 7.3 HIGH
The patch for CVE-2021-39226 is an update that was released by the Grafana team on January 4, 2021. The update addresses the authentication bypass vulnerability in Grafana and should be applied to affected systems as soon as possible to protect them from exploitation.
To apply the patch, you will need to upgrade to a patched version of Grafana. The specific version you need to upgrade to depends on the version of Grafana you are currently running:
If you are running Grafana version 7.2.0 to 7.5.5: Upgrade to Grafana version 7.6.0 or later.
To upgrade Grafana, follow these steps:
- Download the latest version of Grafana from the Grafana website.
- Stop the Grafana server.
- Back up your Grafana configuration and data.
- Install the new version of Grafana, following the instructions provided in the Grafana documentation.
- Start the Grafana server.
It is important to note that upgrading Grafana may require you to restart the server, and it is recommended to test the upgrade in a non-production environment before deploying it to your production systems.
MLIST:[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass