In affected versions of Grafana, unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. References: https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/ https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2012164]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3769 https://access.redhat.com/errata/RHSA-2021:3769
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3770 https://access.redhat.com/errata/RHSA-2021:3770
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3771 https://access.redhat.com/errata/RHSA-2021:3771
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-39226
*** Bug 2029998 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:6252 https://access.redhat.com/errata/RHSA-2022:6252
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:6262 https://access.redhat.com/errata/RHSA-2022:6262
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:6317 https://access.redhat.com/errata/RHSA-2022:6317
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:6322 https://access.redhat.com/errata/RHSA-2022:6322
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:6308 https://access.redhat.com/errata/RHSA-2022:6308