cbcvebase.
CVE-2021-27358
published 2021-03-18

CVE-2021-27358: The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.04%
99.6th percentile
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 6.7.3 < 7.4.27.4.2
grafanagrafana6.7.3 – 7.4.1

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/snapshots HTTP/1.1
path/api/snapshots
other"deleteUrl": AND "deleteKey": (response body indicators of successful unauthenticated snapshot creation)
  • Send an unauthenticated HTTP POST to /api/snapshots with a minimal dashboard JSON payload. A vulnerable Grafana instance (6.7.3–7.4.1) will respond with HTTP 200 and a JSON body containing both 'deleteUrl' and 'deleteKey' fields, confirming unauthenticated snapshot creation is possible.
  • The attack is only exploitable when anonymous access (a commonly used configuration) is enabled on the Grafana instance. Detect or hunt for Grafana instances with anonymous access enabled that are internet-exposed.
  • Use Shodan, FOFA, or Google dork queries to identify exposed Grafana instances that may be vulnerable targets.
  • Monitor for unauthenticated POST requests to /api/snapshots on Grafana servers. Legitimate snapshot creation should require authentication; unauthenticated calls to this endpoint are anomalous and indicative of exploitation attempts.
  • ·The vulnerability is only exploitable when anonymous access is enabled on the Grafana instance. Instances behind an authentication proxy (e.g., OpenShift OAuth proxy requiring admin permissions) are significantly harder to exploit and are rated Low impact by Red Hat.
  • ·Red Hat Ceph Storage and Red Hat Gluster Storage 3 do not ship the directly affected code but are still affected because they allow the same configuration of anonymous snapshots.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.