CVE-2021-39226: 
Grafana vulnerability analysis and mitigation

Grafana, an open source data visualization platform, was affected by a critical authentication bypass vulnerability (CVE-2021-39226) discovered on September 15, 2021. The vulnerability affected all Grafana versions from 2.0.1 to 8.1.5 and was patched in versions 7.5.11 and 8.1.6. This security issue allowed both authenticated and unauthenticated users to access and potentially delete snapshot data through specific API endpoints (GitHub Advisory).

The vulnerability received a CVSS v3.1 score of 9.8 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue allowed unauthorized access to snapshots through literal paths including '/dashboard/snapshot/:key' and '/api/snapshots/:key'. If the snapshot 'publicmode' configuration was set to true, unauthenticated users could delete snapshots via '/api/snapshots-delete/:deleteKey'. Authenticated users could delete snapshots regardless of the 'publicmode' setting (GitHub Advisory).

The vulnerability enabled unauthorized access to snapshot data and potential complete snapshot data loss through a combination of viewing and deletion capabilities. This could lead to disclosure of sensitive information, modification of data, and denial of service. The attack could be executed remotely with no user interaction required (NetApp Security).

The vulnerability was patched in Grafana versions 7.5.11 and 8.1.6. For users unable to upgrade immediately, a workaround was provided to block access to the vulnerable literal paths using a reverse proxy: '/api/snapshots/:key', '/api/snapshots-delete/:deleteKey', '/dashboard/snapshot/:key', and '/api/snapshots/:key'. These paths had no normal function and could be disabled without side effects (GitHub Advisory).

Grafana Labs responded promptly to the vulnerability, with Grafana Cloud instances being patched immediately upon discovery. Grafana Enterprise customers received updated binaries under embargo before the public disclosure. The vulnerability was also acknowledged and addressed by various organizations, including Red Hat and NetApp, who issued their own security advisories (Red Hat Portal, NetApp Security).