vulnerability
FreeBSD: VID-757ee63b-269a-11ec-a616-6c3be5272acd (CVE-2021-39226): Grafana -- Snapshot authentication bypass
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Oct 6, 2021 | Nov 4, 2022 | Dec 10, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Oct 6, 2021
Added
Nov 4, 2022
Modified
Dec 10, 2025
Description
Grafana Labs reports: Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Solutions
freebsd-upgrade-package-grafana8freebsd-upgrade-package-grafana7freebsd-upgrade-package-grafana6freebsd-upgrade-package-grafana
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.