Authentication Bypass Affecting github.com/grafana/grafana/pkg/api Open this link in a new tab package, versions >=8.0.0 <8.1.6 >=2.0.1 <7.5.11
Do your applications use this vulnerable package?
6 Oct 2021
5 Oct 2021
How to fix?
github.com/grafana/grafana/pkg/api to version 8.1.6, 7.5.11 or higher.
github.com/grafana/grafana/pkg/api is an open and composable observability and data visualization platform.
Affected versions of this package are vulnerable to Authentication Bypass. Both unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths
Additionally, if the snapshot
public_mode configuration setting is set to
true (the default is
false), unauthenticated users are also able to delete the snapshot with the lowest database key by accessing the literal path
/api/snapshots-delete/:deleteKey. Authenticated users are able to delete the snapshot with the lowest database key regardless of the snapshot
public_mode, by accessing either one of the literal paths:
The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.