This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A critical authorization flaw in Grafana allows unauthorized access to dashboard snapshots.β¦
π‘οΈ **Root Cause**: **CWE-287** (Improper Authentication). The system fails to properly verify user permissions when accessing snapshot endpoints.β¦
π¦ **Affected**: Grafana versions **up to 7.5.11** and **8.1.5**. π **Component**: The snapshot management feature (`/dashboard/snapshot/:key` and `/api/snapshot/:key`).
Q4What can hackers do? (Privileges/Data)
π **Attacker Actions**: 1. **View**: Access any snapshot with the lowest DB key without logging in. 2. **Delete**: If the snapshot is in 'public mode', unauthenticated users can delete it.β¦
β‘ **Threshold**: **LOW**. - **Auth**: No authentication required for viewing lowest-key snapshots. - **Config**: Deletion requires 'public mode' to be true (default is false, but if set, it's critical).
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploit Status**: **YES**. Public PoC available via Nuclei templates. π **Wild Exploitation**: Likely, given the low barrier to entry and the nature of the flaw (accessing literal paths).
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Use Nuclei with the CVE-2021-39226 template. 2. Manually test accessing `/api/snapshot/1` (or low keys) without login. 3. Check if snapshot 'public mode' is enabled in settings.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: Yes. Official patches released in **Grafana 7.5.11** and **8.1.6**. π **Reference**: Grafana Security Advisories (GHSA-69j6-29vr-p3j9).
Q9What if no patch? (Workaround)
π οΈ **Workaround**: 1. **Disable** 'public mode' for snapshots (ensure it remains false). 2. Restrict access to `/api/snapshot/` and `/dashboard/snapshot/` via WAF or network ACLs. 3.β¦
π₯ **Urgency**: **HIGH**. CVSS Score is **Critical** (likely 9.0+ based on vector). Immediate patching to 7.5.11+ or 8.1.6+ is strongly recommended. Do not ignore!