This vulnerability allows any unauthenticated user/client to access the Grafana snapshot HTTP API and create a denial of service attack by posting large amounts of dashboard snapshot payloads to the /api/snapshotsHTTP API endpoint.
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1747308]
Block access to the snapshot feature by blocking the /api/snapshots
URL via a web application firewall, load balancer, reverse proxy etc.
You can also set 'external_enabled' to false to disable external
snapshot publish endpoint (default true). Note, it will completely
disable this feature.
# cat /etc/grafana/grafana.ini
# snapshot sharing options
external_enabled = false
external_snapshot_url = https://snapshots-origin.raintank.io
external_snapshot_name = Publish to snapshot.raintank.io
Name: the Grafana team
OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform.
This issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality.
`/api/snapshots` endpoint is deeply integrated in grafana codebase and CANNOT be completely disabled. One can only disable sharing snapshots externally with `external_enabled = false` option , which removes `/api/snapshot/shared-options` endpoint .
In OpenShift all grafana endpoints are protected with oauth-proxy, preventing access to Grafana without authentication.
I would argue that in case of OpenShift this is not an issue.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:1659 https://access.redhat.com/errata/RHSA-2020:1659
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):