U.S. Dept Of Defense: CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots

Description:
CVE-2021-39226 Discovered on endpoint https://███████/api/snapshots/:key where this issue poses a significant risk to the confidentiality and integrity of snapshot data, allowing both authenticated and unauthenticated users unauthorized access and deletion capabilities.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-39226

Impact

“In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot “public_mode” configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot “public_mode” setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.”.

Source: https://nvd.nist.gov/vuln/detail/CVE-2021-39226

System Host(s)

██████

Affected Product(s) and Version(s)

Grafana

CVE Numbers

CVE-2021-39226

Steps to Reproduce

Visit the endpoint ‘https://████/api/snapshots’ and use ‘/:key’ and to delete visit ‘https://█████/api/snapshots-delete’ and use ‘/:deleteKey’ to delete and view all snapshot data.

Suggested Mitigation/Remediation Actions