CVE-2021-27358
published 2021-03-18CVE-2021-27358: The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
83.04%
99.6th percentile
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 6.7.3 < 7.4.2 | 7.4.2 |
| grafana | grafana | 6.7.3 – 7.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/snapshots HTTP/1.1
path/api/snapshots
other"deleteUrl": AND "deleteKey": (response body indicators of successful unauthenticated snapshot creation)
- →Send an unauthenticated HTTP POST to /api/snapshots with a minimal dashboard JSON payload. A vulnerable Grafana instance (6.7.3–7.4.1) will respond with HTTP 200 and a JSON body containing both 'deleteUrl' and 'deleteKey' fields, confirming unauthenticated snapshot creation is possible.
- →The attack is only exploitable when anonymous access (a commonly used configuration) is enabled on the Grafana instance. Detect or hunt for Grafana instances with anonymous access enabled that are internet-exposed.
- →Use Shodan, FOFA, or Google dork queries to identify exposed Grafana instances that may be vulnerable targets.
- →Monitor for unauthenticated POST requests to /api/snapshots on Grafana servers. Legitimate snapshot creation should require authentication; unauthenticated calls to this endpoint are anomalous and indicative of exploitation attempts.
- ·The vulnerability is only exploitable when anonymous access is enabled on the Grafana instance. Instances behind an authentication proxy (e.g., OpenShift OAuth proxy requiring admin permissions) are significantly harder to exploit and are rated Low impact by Red Hat. ↗
- ·Red Hat Ceph Storage and Red Hat Gluster Storage 3 do not ship the directly affected code but are still affected because they allow the same configuration of anonymous snapshots. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call
vendor_redhat·2021-02-17·CVSS 7.5
CVE-2021-27358 [HIGH] CWE-770 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call
grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
A flaw was found in Grafana. The snapshot feature allows unauthenticated remote attackers to trigger a denial of service (DoS) via a remote API call if anonymous access is enabled. The highest threat from this vulnerability is to system availability.
Statement: While in OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) there is shipped a vulnerable version of grafana, access to the grafana panel is behind OpenShift OA
GHSA
Denial of service in Grafana
ghsa·2022-02-15
CVE-2021-27358 [MEDIUM] CWE-306 Denial of service in Grafana
Denial of service in Grafana
The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
### Specific Go Packages Affected
github.com/grafana/grafana/pkg/middleware
OSV
Denial of service in Grafana
osv·2022-02-15
CVE-2021-27358 [MEDIUM] Denial of service in Grafana
Denial of service in Grafana
The snapshot feature in Grafana before 7.4.2 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
### Specific Go Packages Affected
github.com/grafana/grafana/pkg/middleware
OSV
CVE-2021-27358: The snapshot feature in Grafana 6
osv·2021-03-18·CVSS 7.5
CVE-2021-27358 [HIGH] CVE-2021-27358: The snapshot feature in Grafana 6
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
VulnCheck
Grafana Labs Grafana Vulnerability
vulncheck·2021·CVSS 7.5
CVE-2021-27358 [HIGH] Grafana Labs Grafana Vulnerability
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
Affected: Grafana Labs Grafana
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-05-01&host_type=src&vulnerability=cve-2021-27358
No detection rules found.
Nuclei
Grafana Unauthenticated Snapshot Creation
nuclei·CVSS 7.5
CVE-2021-27358 [HIGH] Grafana Unauthenticated Snapshot Creation
Grafana Unauthenticated Snapshot Creation
Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
Template:
id: CVE-2021-27358
info:
name: Grafana Unauthenticated Snapshot Creation
author: pdteam,bing0o
severity: high
description: Grafana 6.7.3 through 7.4.1 snapshot functionality can allow an unauthenticated remote attacker to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
impact: |
An attacker can create snapshots of sensitive data without authentication, potentially leading to unauthorized access and data exposure.
remediation: |
Upgrade to the latest version of Grafana that includes a fix for CVE-2021-27358
No writeups or analysis indexed.
https://github.com/grafana/grafana/blob/master/CHANGELOG.mdhttps://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/https://security.netapp.com/advisory/ntap-20210513-0007/https://github.com/grafana/grafana/blob/master/CHANGELOG.mdhttps://github.com/grafana/grafana/blob/master/CHANGELOG.md#742-2021-02-17https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-4-2/https://security.netapp.com/advisory/ntap-20210513-0007/
2021-03-18
Published
Exploited in the wild