Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-27358Allocation of Resources Without Limits or Throttling in Grafana Grafana

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-306Missing Authentication for Critical FunctionCWE-400Uncontrolled Resource Consumption7 documents6 sources
Severity
7.5HIGHNVD
EPSS
87.4%
top 0.54%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Github.com Grafana GrafanaGrafana
Timeline
PublishedMar 18
Latest updateFeb 15

Description

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Gogithub.com/grafana_grafana6.7.37.4.2
NVDgrafana/grafana6.7.37.4.1

🔴Vulnerability Details

4
GHSA
Denial of service in Grafana2022-02-15
OSV
Denial of service in Grafana2022-02-15
OSV
CVE-2021-27358: The snapshot feature in Grafana 62021-03-18
CVEList
CVE-2021-27358: The snapshot feature in Grafana 62021-03-18

💥Exploits & PoCs

1
Nuclei
Grafana Unauthenticated Snapshot Creation

📋Vendor Advisories

1
Red Hat
grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call2021-02-17
CVE-2021-27358 — Grafana Grafana vulnerability | cvebase