CVE-2021-39226
high
KEV
CVSS v3
—
CVSS v2
—
VIR risk
9.5
Description
Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss.
CISA KEV
- Vendor
- Grafana Labs
- Product
- Grafana
- Due date
- 2022-09-15
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/; https://nvd.nist.gov/vuln/detail/CVE-2021-39226
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2021:3771
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-39226.html
Exploits
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 8.1.6-1 | |
| sles | affected | | |
| rocky | 8 | fixed | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/grafana/grafana | <7.5.11 | 7.5.11 |
| Go | github.com/grafana/grafana | >=8.0.0,<8.1.6 | 8.1.6 |
References
- https://www.suse.com/security/cve/CVE-2021-39226.html
- https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9
- https://nvd.nist.gov/vuln/detail/CVE-2021-39226
- https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269
- https://github.com/grafana/grafana
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG
- https://security.netapp.com/advisory/ntap-20211029-0008
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226
- http://www.openwall.com/lists/oss-security/2021/10/05/4
- https://errata.rockylinux.org/RLSA-2021:3771
- https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/; https://nvd.nist.gov/vuln/detail/CVE-2021-39226
Verify integrity in audit chain (admin only). AS-IS.