Bug 1941024 (CVE-2021-27358) - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call
Summary: CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote atta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-27358
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1941079 1942111 1942112 1942113 1944155 2039025 1941025 1941077 1941078 1941792 1941793 1942833 1943431 1943432
Blocks: 1941026
TreeView+ depends on / blocked
 
Reported: 2021-03-19 18:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-01-10 18:19 UTC (History)
36 users (show)

Fixed In Version: grafana 7.4.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Grafana. The snapshot feature allows unauthenticated remote attackers to trigger a denial of service (DoS) via a remote API call if anonymous access is enabled. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-08-06 01:07:14 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:39 UTC
Red Hat Product Errata RHSA-2021:4226 0 None None None 2021-11-09 17:49:04 UTC

Description Guilherme de Almeida Suckevicz 2021-03-19 18:31:02 UTC
The snapshot feature in Grafana before 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

References:
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/

Comment 1 Guilherme de Almeida Suckevicz 2021-03-19 18:31:35 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1941025]

Comment 12 Hardik Vyas 2021-03-29 12:29:00 UTC
Statement:

While in OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) there is shipped a vulnerable version of grafana, access to the grafana panel is behind OpenShift OAuth proxy and requires admin permissions. Therefore these components are affected but with impact Low.

Red Hat Ceph Storage (RHCS) and Red Hat Gluster Storage 3 does not ship the directly affected code, however, they are still affected by this vulnerability because it allows the same configuration of anonymous snapshots, hence this issue has been rated as having a security impact of Low.

Comment 15 amctagga 2021-03-29 15:05:20 UTC
External References:

https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/

Comment 18 errata-xmlrpc 2021-08-06 00:50:36 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 19 Product Security DevOps Team 2021-08-06 01:07:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-27358

Comment 20 errata-xmlrpc 2021-11-09 17:49:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4226 https://access.redhat.com/errata/RHSA-2021:4226


Note You need to log in before you can comment on or make changes to this bug.