CVE-2019-15043
published 2019-09-03CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the…
PriorityP269high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
63.39%
99.1th percentile
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | >= 2.0.0 < 5.4.5 | 5.4.5 |
| grafana | grafana | >= 6.0.0 < 6.3.4 | 6.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
HTTP POST to /api/snapshots with unauthenticated request returning 200 and body containing 'deleteUrl', 'deleteKey', 'key', 'url'
- →Check for unauthenticated access to /api/snapshot/shared-options as a secondary indicator of snapshot API exposure. ↗
- ·Setting 'external_enabled = false' in grafana.ini only disables external snapshot sharing and removes /api/snapshot/shared-options; it does NOT fully disable the /api/snapshots endpoint, leaving the DoS vector partially open. ↗
- ·OpenShift Container Platform deployments protect Grafana behind oauth-proxy, which prevents unauthenticated access and mitigates this vulnerability regardless of Grafana version. ↗
- ·Fedora deployments of Grafana shipped with external_enabled = false by default in grafana.ini, but this does not prevent a user from re-enabling the snapshot feature. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c6x5-653c-4grh: In Grafana 2
ghsa_unreviewed·2022-05-24
CVE-2019-15043 [HIGH] CWE-306 GHSA-c6x5-653c-4grh: In Grafana 2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
OSV
CVE-2019-15043: In Grafana 2
osv·2019-09-03·CVSS 7.5
CVE-2019-15043 [HIGH] CVE-2019-15043: In Grafana 2
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
Red Hat
grafana: incorrect access control in snapshot HTTP API leads to denial of service
vendor_redhat·2019-08-29·CVSS 7.5
CVE-2019-15043 [HIGH] CWE-284 grafana: incorrect access control in snapshot HTTP API leads to denial of service
grafana: incorrect access control in snapshot HTTP API leads to denial of service
In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
Statement: OpenShift Container Platform secures all usages of Grafana behind the oauth-proxy, preventing access to Grafana without authentication. Red Hat Product Security have rated this vulnerability as Low for OpenShift Container Platform.
This issue affects the version of Grafana as shipped with Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3, as it contains the vulnerable snapshot functionality.
Mitigation: Block access to the snapshot feature by blocking the /api/snapshots
URL via a web application firewall, load ba
No detection rules found.
Nuclei
Grafana - Improper Access Control
nuclei·CVSS 7.5
CVE-2019-15043 [HIGH] Grafana - Improper Access Control
Grafana - Improper Access Control
Grafana 2.x through 6.x before 6.3.4 is susceptible to improper access control. An attacker can delete and create arbitrary snapshots, leading to denial of service.
Template:
id: CVE-2019-15043
info:
name: Grafana - Improper Access Control
author: Joshua Rogers
severity: high
description: |
Grafana 2.x through 6.x before 6.3.4 is susceptible to improper access control. An attacker can delete and create arbitrary snapshots, leading to denial of service.
impact: |
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information or perform unauthorized actions.
remediation: Upgrade to 6.3.4 or higher.
reference:
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569
- https
Bugzilla
CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service [fedora-all]
bugzilla·2019-08-30·CVSS 7.5
CVE-2019-15043 [HIGH] CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service [fedora-all]
CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service
bugzilla·2019-08-29·CVSS 7.5
CVE-2019-15043 [HIGH] CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service
CVE-2019-15043 grafana: incorrect access control in snapshot HTTP API leads to denial of service
This vulnerability allows any unauthenticated user/client to access the Grafana snapshot HTTP API and create a denial of service attack by posting large amounts of dashboard snapshot payloads to the /api/snapshotsHTTP API endpoint.
Discussion:
External Reference:
https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
---
Created grafana tracking bugs for this issue:
Affects: fedora-all [bug 1747308]
---
Upstream patches:
https://github.com/grafana/grafana/commit/ebc257ad47133eb12ae63160c8b7307306f9ced8 [5.4.5]
https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4 [6.3.4]
---
Mitigation:
Block access to the snap
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlhttps://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569https://community.grafana.com/t/release-notes-v6-3-x/19202https://github.com/grafana/grafana/releaseshttps://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/https://security.netapp.com/advisory/ntap-20191004-0004/http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlhttps://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569https://community.grafana.com/t/release-notes-v6-3-x/19202https://github.com/grafana/grafana/releaseshttps://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF5ARGYX3WYB7H2FDR7VAWTEQ27UX3FU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UO4NBL7PKW4OSFRVZENGC42EWEJV2YAH/https://security.netapp.com/advisory/ntap-20191004-0004/
2019-09-03
Published