漏洞描述
Grafana 是 Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。Grafana7.5.11之前版本及8.0.0-8.1.6之间版本存在身份验证绕过漏洞。该漏洞源于程序未对数据库快照的访问限制进行正确控制。远程攻击者可利用该漏洞通过访问文本路径:/dashboard/snapshot/:key或/api/snapshots/:key来查看或删除具备最低数据库键的快照。
Grafana Snapshot 身份验证绕过(CVE-2021-39226)
PoC代码
暂无相关漏洞推荐
- Grafana存在重定向漏洞(CVE-2025-4123)
- Grafana /avatar 服务器端请求伪造漏洞(CVE-2020-13379)
- POC CVE-2019-15043: Grafana - Improper Access Control
- POC CVE-2020-11110: Grafana <= 6.7.1 - Cross-Site Scripting
- POC CVE-2020-13379: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
- POC CVE-2021-27358: Grafana Unauthenticated Snapshot Creation
- POC CVE-2021-39226: Grafana Snapshot - Authentication Bypass
- POC CVE-2021-41174: Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting
- POC CVE-2021-43798: Grafana v8.x - Arbitrary File Read
- POC CVE-2022-26148: Grafana & Zabbix Integration - Credentials Disclosure
- POC CVE-2024-9264: Grafana Post-Auth DuckDB - SQL Injection To File Read
- POC CVE-2025-3415: Grafana - Exposes DingDing API Keys
- POC CVE-2025-4123: Grafana - XSS / Open Redirect / SSRF via Client Path Traversal