Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-27358

Опубликовано: 17 фев. 2021
Источник: redhat
CVSS3: 7.5
EPSS Высокий

Описание

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

A flaw was found in Grafana. The snapshot feature allows unauthenticated remote attackers to trigger a denial of service (DoS) via a remote API call if anonymous access is enabled. The highest threat from this vulnerability is to system availability.

Отчет

While in OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) there is shipped a vulnerable version of grafana, access to the grafana panel is behind OpenShift OAuth proxy and requires admin permissions. Therefore these components are affected but with impact Low. Red Hat Ceph Storage (RHCS) and Red Hat Gluster Storage 3 does not ship the directly affected code, however, they are still affected by this vulnerability because it allows the same configuration of anonymous snapshots, hence this issue has been rated as having a security impact of Low.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 1servicemesh-grafanaOut of support scope
OpenShift Service Mesh 2.0servicemesh-grafanaWill not fix
Red Hat Ceph Storage 2grafanaOut of support scope
Red Hat Ceph Storage 3grafanaAffected
Red Hat Ceph Storage 3grafana-containerAffected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Affected
Red Hat Enterprise Linux 9grafanaNot affected
Red Hat OpenShift Container Platform 3.11openshift3/grafanaFix deferred
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaFix deferred
Red Hat Storage 3grafanaAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-862->CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=1941024grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call

EPSS

Процентиль: 99%
0.72805
Высокий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-27358

CVSS3: 7.5
ubuntu
больше 4 лет назад

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

nvd логотип

CVE-2021-27358

CVSS3: 7.5
nvd
больше 4 лет назад

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.

debian логотип

CVE-2021-27358

CVSS3: 7.5
debian
больше 4 лет назад

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unaut ...

github логотип

GHSA-h5rh-w6vm-9ghc

CVSS3: 8.2
github
больше 3 лет назад

Denial of service in Grafana

suse-cvrf логотип

openSUSE-SU-2021:2662-1

suse-cvrf
почти 4 года назад

Security update for grafana

EPSS

Процентиль: 99%
0.72805
Высокий

7.5 High

CVSS3