1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Grafana Authentication Bypass Vulnerability

Known Exploited Vulnerabilities CVE-2021-39226 Mappings

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-39226 Grafana Authentication Bypass Vulnerability primary_impact T1485 Data Destruction
Comments
This authentication bypass vulnerability is exploited by both unauthenticated and authenticated adversaries via the snapshot feature in Grafana. Attackers have leveraged this vulnerability to access and manipulate snapshot data, potentially leading to unauthorized data exposure and loss. Exploitation techniques have not been publicly published. In exploitation scenarios, adversaries can view snapshots with the lowest database key by accessing specific paths, such as /dashboard/snapshot/:key or /api/snapshots/:key. If the "public_mode" configuration is set to true, unauthenticated users can also delete these snapshots using the path /api/snapshots-delete/:deleteKey. This capability allows attackers to enumerate and delete snapshot data, resulting in complete data loss.
References
  1. https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/#:~:text=Additionally%2C%20we%20provide%20insight%20into
  2. well%20as%20through%20Cortex%20XDR.&text=Updated%20Sept.
  3. that%20were%20listed%20in%20error.
  4. https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/
CVE-2021-39226 Grafana Authentication Bypass Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This authentication bypass vulnerability is exploited by both unauthenticated and authenticated adversaries via the snapshot feature in Grafana. Attackers have leveraged this vulnerability to access and manipulate snapshot data, potentially leading to unauthorized data exposure and loss. Exploitation techniques have not been publicly published. In exploitation scenarios, adversaries can view snapshots with the lowest database key by accessing specific paths, such as /dashboard/snapshot/:key or /api/snapshots/:key. If the "public_mode" configuration is set to true, unauthenticated users can also delete these snapshots using the path /api/snapshots-delete/:deleteKey. This capability allows attackers to enumerate and delete snapshot data, resulting in complete data loss.
References
  1. https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/#:~:text=Additionally%2C%20we%20provide%20insight%20into,well%20as%20through%20Cortex%20XDR.&text=Updated%20Sept.,that%20were%20listed%20in%20error.
  2. https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/