OpenCVE

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Grafana	Grafana
Netapp	E-series Performance Analyzer
Redhat	Acm Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
rhacm2/acm-grafana-rhel8:v2.3.0-38	cpe:/a:redhat:acm:2.3::el8	RHSA-2021:3016	2021-08-06T00:00:00Z
Red Hat Enterprise Linux 8
grafana-0:7.5.9-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:4226	2021-11-09T00:00:00Z

References

Link	Providers
https://github.com/grafana/grafana/blob/master/CHANGELOG.md
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17
https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/
https://nvd.nist.gov/vuln/detail/CVE-2021-27358
https://security.netapp.com/advisory/ntap-20210513-0007/
https://www.cve.org/CVERecord?id=CVE-2021-27358

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-03-18T19:43:04

Updated: 2024-08-03T20:48:16.124Z

Reserved: 2021-02-16T00:00:00

Link: CVE-2021-27358

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-03-18T20:15:13.253

Modified: 2022-05-23T22:32:27.733

Link: CVE-2021-27358

Redhat

Severity : Moderate

Publid Date: 2021-02-17T00:00:00Z

Links: CVE-2021-27358 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-13T20:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210513-0007/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27358", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md", "refsource": "CONFIRM", "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md"}, {"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/", "refsource": "CONFIRM", "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/"}, {"name": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17", "refsource": "CONFIRM", "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17"}, {"name": "https://security.netapp.com/advisory/ntap-20210513-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210513-0007/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:48:16.124Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210513-0007/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27358", "datePublished": "2021-03-18T19:43:04", "dateReserved": "2021-02-16T00:00:00", "dateUpdated": "2024-08-03T20:48:16.124Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BE6AA9C-F31D-4F0D-B6FE-B144164C6FF6", "versionEndIncluding": "7.4.1", "versionStartIncluding": "6.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*", "matchCriteriaId": "24B8DB06-590A-4008-B0AB-FCD1401C77C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set."}, {"lang": "es", "value": "La funcionalidad snapshot en Grafana versiones 6.7.3 hasta la 7.4.1, puede permitir a atacantes remotos no autenticados desencadenar una Denegaci\u00f3n de Servicio por medio de una llamada de la API remota si es ajustada una configuraci\u00f3n usada com\u00fanmente"}], "id": "CVE-2021-27358", "lastModified": "2022-05-23T22:32:27.733", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-18T20:15:13.253", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210513-0007/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:3016", "cpe": "cpe:/a:redhat:acm:2.3::el8", "impact": "low", "package": "rhacm2/acm-grafana-rhel8:v2.3.0-38", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8", "release_date": "2021-08-06T00:00:00Z"}, {"advisory": "RHSA-2021:4226", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:7.5.9-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call", "id": "1941024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941024"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-862->CWE-400", "details": ["The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.", "A flaw was found in Grafana. The snapshot feature allows unauthenticated remote attackers to trigger a denial of service (DoS) via a remote API call if anonymous access is enabled. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-27358", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:1", "fix_state": "Out of support scope", "impact": "low", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 1"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "low", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2021-02-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-27358\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-27358\nhttps://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/"], "statement": "While in OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) there is shipped a vulnerable version of grafana, access to the grafana panel is behind OpenShift OAuth proxy and requires admin permissions. Therefore these components are affected but with impact Low.\nRed Hat Ceph Storage (RHCS) and Red Hat Gluster Storage 3 does not ship the directly affected code, however, they are still affected by this vulnerability because it allows the same configuration of anonymous snapshots, hence this issue has been rated as having a security impact of Low.", "threat_severity": "Moderate", "upstream_fix": "grafana 7.4.2"}