Grafana Snapshot Authentication Bypass (CVE-2021-39226)
Description
Grafana versions prior to the patched releases contain an authentication bypass vulnerability that allows unauthorized access to snapshot data. The vulnerability stems from improper access controls on the snapshot viewing functionality, enabling attackers to retrieve snapshots by manipulating database key values without providing valid credentials. This affects the confidentiality of dashboard snapshots that may contain sensitive operational or business data.
Remediation
Immediately upgrade Grafana to a patched version that addresses CVE-2021-39226. Specifically, upgrade to Grafana version 8.1.6 or later for the 8.x branch, version 8.0.7 or later for the 8.0.x branch, or version 7.5.11 or later for the 7.5.x branch. After upgrading, review existing snapshots for potential unauthorized access and consider rotating any credentials or sensitive information that may have been exposed. Implement network-level access controls to restrict Grafana access to trusted networks where possible. Verify that snapshot functionality requires proper authentication by testing access without credentials after the upgrade.