Bug 1191454 - (CVE-2021-39226) VUL-0: CVE-2021-39226: grafana: snapshot authentication bypass
(CVE-2021-39226)
VUL-0: CVE-2021-39226: grafana: snapshot authentication bypass
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: E-Mail List
Security Team bot
https://smash.suse.de/issue/311785/
CVSSv3.1:SUSE:CVE-2021-39226:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-07 14:54 UTC by Alexander Bergmann
Modified: 2022-05-12 11:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
thomas.leroy: needinfo? (ceph-bugs)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-10-07 14:54:26 UTC
rh#2011063

In affected versions of Grafana, unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.

References:

https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2011063
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39226
http://www.openwall.com/lists/oss-security/2021/10/05/4
http://seclists.org/oss-sec/2021/q4/9
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39226
https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39226
Comment 3 Swamp Workflow Management 2022-01-20 17:21:31 UTC
SUSE-SU-2022:0138-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1191454,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 12 (src):    grafana-7.5.12-1.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-01-20 17:24:02 UTC
openSUSE-SU-2022:0140-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1191454,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    grafana-7.5.12-3.18.1
Comment 5 Swamp Workflow Management 2022-01-20 17:28:19 UTC
SUSE-SU-2022:0139-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1191454,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 15 (src):    grafana-7.5.12-1.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-02-02 14:41:55 UTC
SUSE-SU-2022:0310-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1173103,1191285,1191454,1192487,1193600,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 12-BETA (src):    grafana-7.5.12-4.18.1, kiwi-desc-saltboot-0.1.1639488226.7c9eab9-4.12.1, mgr-cfg-4.3.3-4.18.2, mgr-custom-info-4.3.3-4.12.1, mgr-osad-4.3.3-4.21.2, mgr-push-4.3.2-4.12.2, mgr-virtualization-4.3.2-4.12.2, python-hwdata-2.3.5-15.9.1, rhnlib-4.3.2-24.21.1, salt-3000-49.41.3, spacecmd-4.3.5-41.30.1, spacewalk-client-tools-4.3.5-55.36.2, spacewalk-koan-4.3.2-27.12.1, spacewalk-oscap-4.3.2-22.12.1, spacewalk-remote-utils-4.3.2-27.12.2, suseRegisterInfo-4.3.2-28.18.1, uyuni-common-libs-4.3.2-3.24.1, zypp-plugin-spacewalk-1.0.11-33.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-02-02 14:53:44 UTC
SUSE-SU-2022:0311-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1190781,1191454,1192487,1193600,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 15-BETA (src):    ansible-2.9.21-159000.3.6.2, grafana-7.5.12-159000.4.18.3, mgr-cfg-4.3.4-159000.4.20.2, mgr-custom-info-4.3.3-159000.4.12.3, mgr-osad-4.3.3-159000.4.21.4, mgr-push-4.3.2-159000.4.12.4, mgr-virtualization-4.3.2-159000.4.12.3, python-hwdata-2.3.5-159000.5.10.3, rhnlib-4.3.2-159000.6.21.3, salt-3003.3-159000.8.47.2, spacecmd-4.3.5-159000.6.30.3, spacewalk-client-tools-4.3.5-159000.6.36.5, spacewalk-koan-4.3.2-159000.6.12.3, spacewalk-oscap-4.3.2-159000.6.12.3, spacewalk-remote-utils-4.3.2-159000.6.12.3, suseRegisterInfo-4.3.2-159000.6.18.3, uyuni-common-libs-4.3.2-159000.3.24.4, zypp-plugin-spacewalk-1.0.11-159000.6.18.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Thomas Leroy 2022-05-12 11:05:04 UTC
Hi, could it be possible to also submit to
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update, SUSE:SLE-12-SP4:Update:Products:Cloud9:Update and SUSE:SLE-15-SP1:Update:Products:SES6:Update please? :)