Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-39226 (GCVE-0-2021-39226)
Vulnerability from cvelistv5 – Published: 2021-10-05 17:30 – Updated: 2025-10-21 23:25
VLAI?
EPSS
CISA KEV
Title
Snapshot authentication bypass in grafana
Summary
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
Severity ?
9.8 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/grafana/grafana/security/advis… | x_refsource_CONFIRM |
| https://github.com/grafana/grafana/commit/2d456a6… | x_refsource_MISC |
| https://grafana.com/docs/grafana/latest/release-n… | x_refsource_MISC |
| https://grafana.com/docs/grafana/latest/release-n… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2021/10/05/4 | mailing-listx_refsource_MLIST |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
| https://security.netapp.com/advisory/ntap-2021102… | x_refsource_CONFIRM |
| https://lists.fedoraproject.org/archives/list/pac… | vendor-advisoryx_refsource_FEDORA |
Impacted products
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 8abf3b96-398b-4f09-9cf0-39c21c03fe32
Exploited: Yes
Timestamps
First Seen: 2022-08-25
Asserted: 2022-08-25
Scope
Notes: KEV entry: Grafana Authentication Bypass Vulnerability | Affected: Grafana Labs / Grafana | Description: Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss. | Required action: Apply updates per vendor instructions. | Due date: 2022-09-15 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/; https://nvd.nist.gov/vuln/detail/CVE-2021-39226
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-287 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Grafana |
| Due Date | 2022-09-15 |
| Date Added | 2022-08-25 |
| Vendorproject | Grafana Labs |
| Vulnerabilityname | Grafana Authentication Bypass Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-02-02 12:27 UTC
| Updated: 2026-02-06 07:17 UTC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-39226",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T19:36:13.338394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-08-25",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:30.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-08-25T00:00:00.000Z",
"value": "CVE-2021-39226 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.1.6"
},
{
"status": "affected",
"version": "\u003c 7.5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-30T01:08:52.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
],
"source": {
"advisory": "GHSA-69j6-29vr-p3j9",
"discovery": "UNKNOWN"
},
"title": "Snapshot authentication bypass in grafana",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39226",
"STATE": "PUBLIC",
"TITLE": "Snapshot authentication bypass in grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.1.6"
},
{
"version_value": "\u003c 7.5.11"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"name": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211029-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
]
},
"source": {
"advisory": "GHSA-69j6-29vr-p3j9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39226",
"datePublished": "2021-10-05T17:30:11.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:30.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2021-39226",
"cwes": "[\"CWE-287\"]",
"dateAdded": "2022-08-25",
"dueDate": "2022-09-15",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/; https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
"product": "Grafana",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss.",
"vendorProject": "Grafana Labs",
"vulnerabilityName": "Grafana Authentication Bypass Vulnerability"
},
"epss": {
"cve": "CVE-2021-39226",
"date": "2026-05-21",
"epss": "0.9435",
"percentile": "0.9996"
},
"fkie_nvd": {
"cisaActionDue": "2022-09-15",
"cisaExploitAdd": "2022-08-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Grafana Authentication Bypass Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"7.5.11\", \"matchCriteriaId\": \"B3C34F75-9949-40B3-819E-3030A44B0174\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.1.6\", \"matchCriteriaId\": \"3218296B-F9C5-4E9E-AE37-70A4296AC016\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A930E247-0B43-43CB-98FF-6CE7B8189835\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \\\"public_mode\\\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \\\"public_mode\\\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.\"}, {\"lang\": \"es\", \"value\": \"Grafana es una plataforma de visualizaci\\u00f3n de datos de c\\u00f3digo abierto. En las versiones afectadas los usuarios no autenticados y autenticados son capaces de visualizar la snapshot con la clave de base de datos m\\u00e1s baja accediendo a las rutas literales /dashboard/snapshot/:key, o /api/snapshots/:key. Si el ajuste de configuraci\\u00f3n \\\"public_mode\\\" de la snapshot se establece en true (frente a default o false), unos usuarios no autenticados pueden eliminar la snapshot con la clave de base de datos m\\u00e1s baja al acceder a la ruta literal /api/snapshots-delete/:deleteKey. Independientemente de la configuraci\\u00f3n de \\\"public_mode\\\" de la snapshot, unos usuarios autenticados pueden eliminar la snapshot con la clave de base de datos m\\u00e1s baja accediendo a las rutas literales: /api/snapshots/:key, o /api/snapshots-delete/:deleteKey. La combinaci\\u00f3n de borrado y visualizaci\\u00f3n permite un recorrido completo mediante todos los datos de las snapshots mientras se produce una p\\u00e9rdida total de datos de las mismas. Este problema se ha resuelto en las versiones 8.1.6 y 7.5.11. Si por alguna raz\\u00f3n no puede actualizar puede usar un proxy inverso o similar para bloquear el acceso a las rutas literales /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, y /api/snapshots/:key. No tienen ninguna funci\\u00f3n normal y pueden ser deshabilitadas sin efectos secundarios\"}]",
"id": "CVE-2021-39226",
"lastModified": "2024-11-21T06:18:57.193",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-10-05T18:15:07.947",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/05/4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20211029-0008/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/05/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20211029-0008/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-39226\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-10-05T18:15:07.947\",\"lastModified\":\"2025-10-24T14:47:23.560\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \\\"public_mode\\\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \\\"public_mode\\\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.\"},{\"lang\":\"es\",\"value\":\"Grafana es una plataforma de visualizaci\u00f3n de datos de c\u00f3digo abierto. En las versiones afectadas los usuarios no autenticados y autenticados son capaces de visualizar la snapshot con la clave de base de datos m\u00e1s baja accediendo a las rutas literales /dashboard/snapshot/:key, o /api/snapshots/:key. Si el ajuste de configuraci\u00f3n \\\"public_mode\\\" de la snapshot se establece en true (frente a default o false), unos usuarios no autenticados pueden eliminar la snapshot con la clave de base de datos m\u00e1s baja al acceder a la ruta literal /api/snapshots-delete/:deleteKey. Independientemente de la configuraci\u00f3n de \\\"public_mode\\\" de la snapshot, unos usuarios autenticados pueden eliminar la snapshot con la clave de base de datos m\u00e1s baja accediendo a las rutas literales: /api/snapshots/:key, o /api/snapshots-delete/:deleteKey. La combinaci\u00f3n de borrado y visualizaci\u00f3n permite un recorrido completo mediante todos los datos de las snapshots mientras se produce una p\u00e9rdida total de datos de las mismas. Este problema se ha resuelto en las versiones 8.1.6 y 7.5.11. Si por alguna raz\u00f3n no puede actualizar puede usar un proxy inverso o similar para bloquear el acceso a las rutas literales /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, y /api/snapshots/:key. No tienen ninguna funci\u00f3n normal y pueden ser deshabilitadas sin efectos secundarios\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-08-25\",\"cisaActionDue\":\"2022-09-15\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Grafana Authentication Bypass Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.5.11\",\"matchCriteriaId\":\"B3C34F75-9949-40B3-819E-3030A44B0174\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.1.6\",\"matchCriteriaId\":\"3218296B-F9C5-4E9E-AE37-70A4296AC016\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2021/10/05/4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20211029-0008/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/10/05/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20211029-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/05/4\", \"name\": \"[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\", \"name\": \"FEDORA-2021-dd83dc8b0b\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20211029-0008/\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\", \"name\": \"FEDORA-2021-01588ab0bf\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T01:58:18.334Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-39226\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T19:36:13.338394Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-08-25\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-08-25T00:00:00.000Z\", \"value\": \"CVE-2021-39226 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T19:36:17.889Z\"}}], \"cna\": {\"title\": \"Snapshot authentication bypass in grafana\", \"source\": {\"advisory\": \"GHSA-69j6-29vr-p3j9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"grafana\", \"product\": \"grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 8.0.0, \u003c 8.1.6\"}, {\"status\": \"affected\", \"version\": \"\u003c 7.5.11\"}]}], \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/05/4\", \"name\": \"[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass\", \"tags\": [\"mailing-list\", \"x_refsource_MLIST\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\", \"name\": \"FEDORA-2021-dd83dc8b0b\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20211029-0008/\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\", \"name\": \"FEDORA-2021-01588ab0bf\", \"tags\": [\"vendor-advisory\", \"x_refsource_FEDORA\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \\\"public_mode\\\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \\\"public_mode\\\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2021-10-30T01:08:52.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-69j6-29vr-p3j9\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 8.0.0, \u003c 8.1.6\"}, {\"version_value\": \"\u003c 7.5.11\"}]}, \"product_name\": \"grafana\"}]}, \"vendor_name\": \"grafana\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\", \"name\": \"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\", \"name\": \"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269\", \"refsource\": \"MISC\"}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\", \"name\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/\", \"refsource\": \"MISC\"}, {\"url\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\", \"name\": \"https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/10/05/4\", \"name\": \"[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass\", \"refsource\": \"MLIST\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\", \"name\": \"FEDORA-2021-dd83dc8b0b\", \"refsource\": \"FEDORA\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20211029-0008/\", \"name\": \"https://security.netapp.com/advisory/ntap-20211029-0008/\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/\", \"name\": \"FEDORA-2021-01588ab0bf\", \"refsource\": \"FEDORA\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \\\"public_mode\\\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \\\"public_mode\\\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-287: Improper Authentication\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2021-39226\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Snapshot authentication bypass in grafana\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
"cveMetadata": "{\"cveId\": \"CVE-2021-39226\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:25:30.669Z\", \"dateReserved\": \"2021-08-16T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2021-10-05T17:30:11.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
BDU:2023-01019
Vulnerability from fstec - Published: 05.10.2021
VLAI Severity ?
Title
Уязвимость веб-инструмента представления данных Grafana, связанная с недостатками процедуры аутентификации, позволяющая нарушителю доступ к защищаемой информации, вызвать отказ в обслуживании или повысить свои привилегии
Description
Уязвимость веб-инструмента представления данных Grafana связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, доступ к защищаемой информации, вызвать отказ в обслуживании или повысить свои привилегии
Severity ?
Vendor
Fedora Project, АО «ИВК», Grafana Labs, ООО «Юбитех»
Software Name
Fedora, Альт 8 СП (запись в едином реестре российских программ №4305), Grafana, UBLinux (запись в едином реестре российских программ №6874)
Software Version
34 (Fedora), 35 (Fedora), - (Альт 8 СП), до 7.5.11 (Grafana), от 8.0.0 до 8.1.6 (Grafana), до 2405 (UBLinux)
Possible Mitigations
Использование рекомендаций:
Для Grafana:
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
Для Fedora Project:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/
Для ОС Альт 8 СП:
установка обновления из публичного репозитория программного средства
Для UBLinux:
https://security.ublinux.ru/CVE-2021-21708
Reference
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/
https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9
https://altsp.su/obnovleniya-bezopasnosti/
https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
https://security.ublinux.ru/CVE-2021-21708
CWE
CWE-287
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Fedora Project, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, Grafana Labs, \u041e\u041e\u041e \u00ab\u042e\u0431\u0438\u0442\u0435\u0445\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "34 (Fedora), 35 (Fedora), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 7.5.11 (Grafana), \u043e\u0442 8.0.0 \u0434\u043e 8.1.6 (Grafana), \u0434\u043e 2405 (UBLinux)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Grafana:\nhttps://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/\n\n\u0414\u043b\u044f Fedora Project:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\n\n\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \n\u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f UBLinux:\nhttps://security.ublinux.ru/CVE-2021-21708",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "05.10.2021",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "30.10.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.03.2023",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-01019",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-39226",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Fedora, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), Grafana, UBLinux (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166874)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Fedora Project Fedora 34 , Fedora Project Fedora 35 , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u041e\u041e \u00ab\u042e\u0431\u0438\u0442\u0435\u0445\u00bb UBLinux \u0434\u043e 2405 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166874)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445 Grafana, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u044b \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u0438\u043b\u0438 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f (CWE-287)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u0435\u0431-\u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445 Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u044b \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438 \u0438\u043b\u0438 \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/ \nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/\nhttps://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9\n\nhttps://altsp.su/obnovleniya-bezopasnosti/\n\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv\nhttps://security.ublinux.ru/CVE-2021-21708",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-287",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}
bit-grafana-2021-39226
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:59
Modified
2026-02-24 21:09
Summary
Snapshot authentication bypass in grafana
Details
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.11"
},
{
"introduced": "8.0.0"
},
{
"fixed": "8.1.6"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2021-39226"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
"id": "BIT-grafana-2021-39226",
"modified": "2026-02-24T21:09:55.900Z",
"published": "2024-03-06T10:59:36.715Z",
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"type": "WEB",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"type": "WEB",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
}
],
"schema_version": "1.5.0",
"summary": "Snapshot authentication bypass in grafana"
}
FKIE_CVE-2021-39226
Vulnerability from fkie_nvd - Published: 2021-10-05 18:15 - Updated: 2025-10-24 14:47
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| grafana | grafana | * | |
| grafana | grafana | * | |
| fedoraproject | fedora | 34 | |
| fedoraproject | fedora | 35 |
{
"cisaActionDue": "2022-09-15",
"cisaExploitAdd": "2022-08-25",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Grafana Authentication Bypass Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3C34F75-9949-40B3-819E-3030A44B0174",
"versionEndExcluding": "7.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3218296B-F9C5-4E9E-AE37-70A4296AC016",
"versionEndExcluding": "8.1.6",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
},
{
"lang": "es",
"value": "Grafana es una plataforma de visualizaci\u00f3n de datos de c\u00f3digo abierto. En las versiones afectadas los usuarios no autenticados y autenticados son capaces de visualizar la snapshot con la clave de base de datos m\u00e1s baja accediendo a las rutas literales /dashboard/snapshot/:key, o /api/snapshots/:key. Si el ajuste de configuraci\u00f3n \"public_mode\" de la snapshot se establece en true (frente a default o false), unos usuarios no autenticados pueden eliminar la snapshot con la clave de base de datos m\u00e1s baja al acceder a la ruta literal /api/snapshots-delete/:deleteKey. Independientemente de la configuraci\u00f3n de \"public_mode\" de la snapshot, unos usuarios autenticados pueden eliminar la snapshot con la clave de base de datos m\u00e1s baja accediendo a las rutas literales: /api/snapshots/:key, o /api/snapshots-delete/:deleteKey. La combinaci\u00f3n de borrado y visualizaci\u00f3n permite un recorrido completo mediante todos los datos de las snapshots mientras se produce una p\u00e9rdida total de datos de las mismas. Este problema se ha resuelto en las versiones 8.1.6 y 7.5.11. Si por alguna raz\u00f3n no puede actualizar puede usar un proxy inverso o similar para bloquear el acceso a las rutas literales /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, y /api/snapshots/:key. No tienen ninguna funci\u00f3n normal y pueden ser deshabilitadas sin efectos secundarios"
}
],
"id": "CVE-2021-39226",
"lastModified": "2025-10-24T14:47:23.560",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-05T18:15:07.947",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-69J6-29VR-P3J9
Vulnerability from github – Published: 2021-10-05 20:24 – Updated: 2025-10-22 19:08
VLAI?
Summary
Authentication bypass for viewing and deletions of snapshots
Details
Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.
Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise customers were provided with updated binaries under embargo.
8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.
CVE-2021-39226 Snapshot authentication bypass
Summary
CVSS Score: 9.8 Critical CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
We received a security report to security@grafana.com on 2021-09-15 about a vulnerability in Grafana regarding the snapshot feature. It was later identified as affecting Grafana versions from 2.0.1 to 8.1.6. CVE-2021-39226 has been assigned to this vulnerability.
Impact
Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:
/dashboard/snapshot/:key, or/api/snapshots/:key
If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:
/api/snapshots-delete/:deleteKey
Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:
/api/snapshots/:key, or/api/snapshots-delete/:deleteKey
The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.
Attack audit
While we can not guarantee that the below will identify all attacks, if you do find something with the below, you should consider doing a full assessment.
Through reverse proxy/load balancer logs
To determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path is /dashboard/snapshot/:key, /api/snapshots/:key or /api/snapshots-delete/:deleteKey, and the response status code was 200 (OK).
For example, if you’re using the Kubernetes ingress-nginx controller and sending logs to Loki, use a LogQL query like {job="nginx-ingress-controller"} |= "\"status\": 200" |= "\"uri\": \"/api/snapshots/:key\"".
Through the Grafana Enterprise audit feature
If you enabled “Log web requests” in your configuration with router_logging = true, look for
"requestUri":"/api/snapshots-delete/”,“requestUri":"/api/snapshots/:key", or "type":"snapshot" in combination with "action":"delete".
Patched versions
Release 8.1.6:
Release 7.5.11:
Solutions and mitigations
Download and install the appropriate patch for your version of Grafana.
Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries under embargo.
Workaround
If for some reason you cannot upgrade:
You can use a reverse proxy or similar to block access to the literal paths
* /api/snapshots/:key
* /api/snapshots-delete/:deleteKey
* /dashboard/snapshot/:key
* /api/snapshots/:key
They have no normal function and can be disabled without side effects.
Timeline and postmortem
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2021-09-15 14:49: Tuan Tran theblackturtle0901@gmail.com sends initial report about viewing snapshots without authentication
- 2021-09-15 15:56: Initial reproduction
- 2021-09-15 17:10: MEDIUM severity declared
- 2021-09-15 18:58: Workaround deployed on Grafana Cloud
- 2021-09-15 19:15:
/api/snapshots/:keyfound to be vulnerable as well - 2021-09-15 19:30:
/api/snapshots/:keyblocked on Grafana Cloud - 2021-09-16 09:31:
/api/snapshots-delete/:deleteKeyfound to be vulnerable as well, blocked on Grafana Cloud. From this point forward, Cloud is not affected any more. - 2021-09-16 09:35: HIGH severity declared
- 2021-09-16 11:19: Realization that combination of deletion and viewing allows enumeration and permanent DoS
- 2021-09-16 11:19: CRITICAL declared
- 2021-09-17 10:53: Determination that no weekend work is needed. While issue is CRITICAL, scope is very limited
- 2021-09-17 14:26: Audit of Grafana Cloud concluded, no evidence of exploitation
- 2021-09-23: Grafana Cloud instances updated
- 2021-09-28 12:00: Grafana Enterprise images released to customers under embargo
- 2021-10-05 17:00: Public release
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs's open source and commercial products (including but not limited to Grafana, Tempo, Loki, Amixr, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keys.gnupg.net by searching for [security@grafana](http://keys.gnupg.net/pks/lookup?search=security@grafana&fingerprint=on&op=index.
Security announcements
We maintain a category on the community site named Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our Security Announcements RSS feed.
Acknowledgement
We would like to thank Tran Viet Tuan for responsibly disclosing the initially discovered vulnerability to us.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39226"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-05T18:49:35Z",
"nvd_published_at": "2021-10-05T18:15:00Z",
"severity": "HIGH"
},
"details": "Today we are releasing Grafana 7.5.11, and 8.1.6. These patch releases include an important security fix for an issue that affects all Grafana versions from 2.0.1.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n8.1.5 contained a single fix for bar chart panels. We believe that users can expedite deployment by moving from 8.1.4 to 8.1.6 directly.\n\n## CVE-2021-39226 Snapshot authentication bypass\n\n### Summary\n\nCVSS Score: 9.8 Critical\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\nWe received a security report to [security@grafana.com](mailto:security@grafana.com) on 2021-09-15 about a vulnerability in Grafana regarding the snapshot feature. It was later identified as affecting Grafana versions from 2.0.1 to 8.1.6. [CVE-2021-39226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39226) has been assigned to this vulnerability.\n\n### Impact\nUnauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:\n\n* `/dashboard/snapshot/:key`, or\n* `/api/snapshots/:key`\n\nIf the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:\n\n* `/api/snapshots-delete/:deleteKey`\n\nRegardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:\n\n* `/api/snapshots/:key`, or\n* `/api/snapshots-delete/:deleteKey`\n\nThe combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.\n\n### Attack audit\n\nWhile we can not guarantee that the below will identify all attacks, if you do find something with the below, you should consider doing a full assessment.\n\n#### Through reverse proxy/load balancer logs\n\nTo determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path is `/dashboard/snapshot/:key`, `/api/snapshots/:key` or `/api/snapshots-delete/:deleteKey`, and the response status code was 200 (OK).\nFor example, if you\u2019re using the Kubernetes ingress-nginx controller and sending logs to Loki, use a LogQL query like `{job=\"nginx-ingress-controller\"} |= \"\\\"status\\\": 200\" |= \"\\\"uri\\\": \\\"/api/snapshots/:key\\\"\"`.\n\n#### Through the Grafana Enterprise audit feature\n\nIf you enabled \u201cLog web requests\u201d in your configuration with `router_logging = true`, look for\n`\"requestUri\":\"/api/snapshots-delete/\u201d`,`\u201crequestUri\":\"/api/snapshots/:key\"`, or `\"type\":\"snapshot\"` in combination with `\"action\":\"delete\"`.\n\n### Patched versions\n\nRelease 8.1.6: \n\n- [Download Grafana 8.1.6](https://grafana.com/grafana/download/8.1.6)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/)\n\nRelease 7.5.11: \n\n- [Download Grafana 7.5.11](https://grafana.com/grafana/download/7.5.11)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/)\n\n### Solutions and mitigations\n\nDownload and install the appropriate patch for your version of Grafana.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched, and [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n### Workaround\n\nIf for some reason you cannot upgrade:\n\nYou can use a reverse proxy or similar to block access to the literal paths\n* `/api/snapshots/:key`\n* `/api/snapshots-delete/:deleteKey`\n* `/dashboard/snapshot/:key`\n* `/api/snapshots/:key`\n\nThey have no normal function and can be disabled without side effects.\n\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC.\n\n* 2021-09-15 14:49: Tuan Tran theblackturtle0901@gmail.com sends initial report about viewing snapshots without authentication\n* 2021-09-15 15:56: Initial reproduction\n* 2021-09-15 17:10: MEDIUM severity declared\n* 2021-09-15 18:58: Workaround deployed on Grafana Cloud\n* 2021-09-15 19:15: `/api/snapshots/:key` found to be vulnerable as well\n* 2021-09-15 19:30: `/api/snapshots/:key` blocked on Grafana Cloud\n* 2021-09-16 09:31: `/api/snapshots-delete/:deleteKey` found to be vulnerable as well, blocked on Grafana Cloud. From this point forward, Cloud is not affected any more.\n* 2021-09-16 09:35: HIGH severity declared\n* 2021-09-16 11:19: Realization that combination of deletion and viewing allows enumeration and permanent DoS\n* 2021-09-16 11:19: CRITICAL declared\n* 2021-09-17 10:53: Determination that no weekend work is needed. While issue is CRITICAL, scope is very limited\n* 2021-09-17 14:26: Audit of Grafana Cloud concluded, no evidence of exploitation\n* 2021-09-23: Grafana Cloud instances updated\n* 2021-09-28 12:00: Grafana Enterprise images released to customers under embargo\n* 2021-10-05 17:00: Public release\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to [security@grafana.com](mailto:security@grafana.com). This address can be used for all of\nGrafana Labs\u0027s open source and commercial products (including but not limited to Grafana, Tempo, Loki, Amixr, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from [keys.gnupg.net](http://keys.gnupg.net/pks/lookup?op=get\u0026fingerprint=on\u0026search=0xD1258932BE24C5CA) by searching for [security@grafana](http://keys.gnupg.net/pks/lookup?search=security@grafana\u0026fingerprint=on\u0026op=index.\n\n## Security announcements\n\nWe maintain a category on the community site named [Security Announcements](https://community.grafana.com/c/security-announcements),\nwhere we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our [Security Announcements RSS feed](https://community.grafana.com/c/security-announcements.rss).\n\n## Acknowledgement\n\nWe would like to thank [Tran Viet Tuan](https://github.com/theblackturtle) for responsibly disclosing the initially discovered vulnerability to us.",
"id": "GHSA-69j6-29vr-p3j9",
"modified": "2025-10-22T19:08:03Z",
"published": "2021-10-05T20:24:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11"
},
{
"type": "WEB",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211029-0008"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-39226"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H",
"type": "CVSS_V3"
}
],
"summary": "Authentication bypass for viewing and deletions of snapshots"
}
GSD-2021-39226
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-39226",
"description": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
"id": "GSD-2021-39226",
"references": [
"https://www.suse.com/security/cve/CVE-2021-39226.html",
"https://access.redhat.com/errata/RHSA-2021:3771",
"https://access.redhat.com/errata/RHSA-2021:3770",
"https://access.redhat.com/errata/RHSA-2021:3769",
"https://access.redhat.com/errata/RHSA-2022:0056",
"https://security.archlinux.org/CVE-2021-39226",
"https://linux.oracle.com/cve/CVE-2021-39226.html",
"https://access.redhat.com/errata/RHSA-2022:6252",
"https://access.redhat.com/errata/RHSA-2022:6262",
"https://access.redhat.com/errata/RHSA-2022:6308",
"https://access.redhat.com/errata/RHSA-2022:6317",
"https://access.redhat.com/errata/RHSA-2022:6322"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-39226"
],
"details": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
"id": "GSD-2021-39226",
"modified": "2023-12-13T01:23:15.559965Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39226",
"STATE": "PUBLIC",
"TITLE": " Snapshot authentication bypass in grafana"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 8.1.6"
},
{
"version_value": "\u003c 7.5.11"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"name": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/",
"refsource": "MISC",
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211029-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
]
},
"source": {
"advisory": "GHSA-69j6-29vr-p3j9",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c7.5.11||\u003e=8.0.0 \u003c8.1.6",
"affected_versions": "All versions before 7.5.11, all versions starting from 8.0.0 before 8.1.6",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-937"
],
"date": "2021-11-18",
"description": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
"fixed_versions": [
"7.5.11",
"8.1.6"
],
"identifier": "CVE-2021-39226",
"identifiers": [
"GHSA-69j6-29vr-p3j9",
"CVE-2021-39226"
],
"not_impacted": "All versions starting from 7.5.11 before 8.0.0, all versions starting from 8.1.6",
"package_slug": "go/github.com/grafana/grafana",
"pubdate": "2021-10-05",
"solution": "Upgrade to versions 7.5.11, 8.1.6 or above.",
"title": "Improper Authentication",
"urls": [
"https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
"https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269",
"https://github.com/advisories/GHSA-69j6-29vr-p3j9"
],
"uuid": "b7aa7dcb-1659-433d-bc34-8b61743bcbd8"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "7.5.11",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.1.6",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39226"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11/"
},
{
"name": "[oss-security] 20211005 CVE-2021-39226 Grafana snapshot authentication bypass",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2021/10/05/4"
},
{
"name": "FEDORA-2021-dd83dc8b0b",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6ANHRDBXQT6TURLP2THM26ZPDINFBEG/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211029-0008/",
"refsource": "CONFIRM",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20211029-0008/"
},
{
"name": "FEDORA-2021-01588ab0bf",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4
}
},
"lastModifiedDate": "2021-11-28T23:22Z",
"publishedDate": "2021-10-05T18:15Z"
}
}
}
OPENSUSE-SU-2022:0140-1
Vulnerability from csaf_opensuse - Published: 2022-01-20 12:25 - Updated: 2022-01-20 12:25Summary
Security update for grafana
Severity
Important
Notes
Title of the patch: Security update for grafana
Description of the patch: This update for grafana fixes the following issues:
- CVE-2021-39226: Fixed snapshot authentication bypass (bsc#1191454)
- CVE-2021-43813: Fixed markdown path traversal (bsc#1193688)
Patchnames: openSUSE-SLE-15.3-2022-140
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for grafana",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for grafana fixes the following issues:\n\n- CVE-2021-39226: Fixed snapshot authentication bypass (bsc#1191454)\n- CVE-2021-43813: Fixed markdown path traversal (bsc#1193688)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-SLE-15.3-2022-140",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_0140-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:0140-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZUS4G6GRHNJN7AR53SGJABSHRZM3XMOY/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:0140-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZUS4G6GRHNJN7AR53SGJABSHRZM3XMOY/"
},
{
"category": "self",
"summary": "SUSE Bug 1191454",
"url": "https://bugzilla.suse.com/1191454"
},
{
"category": "self",
"summary": "SUSE Bug 1193688",
"url": "https://bugzilla.suse.com/1193688"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39226 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39226/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-43813 page",
"url": "https://www.suse.com/security/cve/CVE-2021-43813/"
}
],
"title": "Security update for grafana",
"tracking": {
"current_release_date": "2022-01-20T12:25:15Z",
"generator": {
"date": "2022-01-20T12:25:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:0140-1",
"initial_release_date": "2022-01-20T12:25:15Z",
"revision_history": [
{
"date": "2022-01-20T12:25:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.12-3.18.1.aarch64",
"product": {
"name": "grafana-7.5.12-3.18.1.aarch64",
"product_id": "grafana-7.5.12-3.18.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.12-3.18.1.ppc64le",
"product": {
"name": "grafana-7.5.12-3.18.1.ppc64le",
"product_id": "grafana-7.5.12-3.18.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.12-3.18.1.s390x",
"product": {
"name": "grafana-7.5.12-3.18.1.s390x",
"product_id": "grafana-7.5.12-3.18.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.12-3.18.1.x86_64",
"product": {
"name": "grafana-7.5.12-3.18.1.x86_64",
"product_id": "grafana-7.5.12-3.18.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.12-3.18.1.aarch64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64"
},
"product_reference": "grafana-7.5.12-3.18.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.12-3.18.1.ppc64le as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le"
},
"product_reference": "grafana-7.5.12-3.18.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.12-3.18.1.s390x as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x"
},
"product_reference": "grafana-7.5.12-3.18.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.12-3.18.1.x86_64 as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
},
"product_reference": "grafana-7.5.12-3.18.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39226",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39226"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39226",
"url": "https://www.suse.com/security/cve/CVE-2021-39226"
},
{
"category": "external",
"summary": "SUSE Bug 1191454 for CVE-2021-39226",
"url": "https://bugzilla.suse.com/1191454"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-01-20T12:25:15Z",
"details": "important"
}
],
"title": "CVE-2021-39226"
},
{
"cve": "CVE-2021-43813",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-43813"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-43813",
"url": "https://www.suse.com/security/cve/CVE-2021-43813"
},
{
"category": "external",
"summary": "SUSE Bug 1193686 for CVE-2021-43813",
"url": "https://bugzilla.suse.com/1193686"
},
{
"category": "external",
"summary": "SUSE Bug 1193688 for CVE-2021-43813",
"url": "https://bugzilla.suse.com/1193688"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.aarch64",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.ppc64le",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.s390x",
"openSUSE Leap 15.3:grafana-7.5.12-3.18.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-01-20T12:25:15Z",
"details": "moderate"
}
],
"title": "CVE-2021-43813"
}
]
}
OPENSUSE-SU-2024:11651-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-7.5.11-3.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-7.5.11-3.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-7.5.11-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11651
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-7.5.11-3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-7.5.11-3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-7.5.11-3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-7.5.11-3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-7.5.11-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-7.5.11-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11651",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11651-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-39226 page",
"url": "https://www.suse.com/security/cve/CVE-2021-39226/"
}
],
"title": "grafana-7.5.11-3.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11651-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.11-3.1.aarch64",
"product": {
"name": "grafana-7.5.11-3.1.aarch64",
"product_id": "grafana-7.5.11-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.11-3.1.ppc64le",
"product": {
"name": "grafana-7.5.11-3.1.ppc64le",
"product_id": "grafana-7.5.11-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.11-3.1.s390x",
"product": {
"name": "grafana-7.5.11-3.1.s390x",
"product_id": "grafana-7.5.11-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-7.5.11-3.1.x86_64",
"product": {
"name": "grafana-7.5.11-3.1.x86_64",
"product_id": "grafana-7.5.11-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.11-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-7.5.11-3.1.aarch64"
},
"product_reference": "grafana-7.5.11-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.11-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-7.5.11-3.1.ppc64le"
},
"product_reference": "grafana-7.5.11-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.11-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-7.5.11-3.1.s390x"
},
"product_reference": "grafana-7.5.11-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-7.5.11-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-7.5.11-3.1.x86_64"
},
"product_reference": "grafana-7.5.11-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39226",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-39226"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-7.5.11-3.1.aarch64",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.ppc64le",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.s390x",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-39226",
"url": "https://www.suse.com/security/cve/CVE-2021-39226"
},
{
"category": "external",
"summary": "SUSE Bug 1191454 for CVE-2021-39226",
"url": "https://bugzilla.suse.com/1191454"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-7.5.11-3.1.aarch64",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.ppc64le",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.s390x",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-7.5.11-3.1.aarch64",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.ppc64le",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.s390x",
"openSUSE Tumbleweed:grafana-7.5.11-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2021-39226"
}
]
}
RHSA-2021:3769
Vulnerability from csaf_redhat - Published: 2021-10-12 10:48 - Updated: 2025-11-21 18:25Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 8.1 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: Snapshot authentication bypass (CVE-2021-39226)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An authentication bypass was found in grafana. An attacker on the network is able to view and delete snapshots by accessing a literal path.
7.3 (High)
Affected products
Fixed
57 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.x86_64 | — |
Vendor Fix
fix
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 8.1 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: Snapshot authentication bypass (CVE-2021-39226)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3769",
"url": "https://access.redhat.com/errata/RHSA-2021:3769"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2011063",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011063"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3769.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2025-11-21T18:25:32+00:00",
"generator": {
"date": "2025-11-21T18:25:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2021:3769",
"initial_release_date": "2021-10-12T10:48:27+00:00",
"revision_history": [
{
"date": "2021-10-12T10:48:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-10-12T10:48:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:25:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.1::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.2.2-7.el8_1.src",
"product": {
"name": "grafana-0:6.2.2-7.el8_1.src",
"product_id": "grafana-0:6.2.2-7.el8_1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.2.2-7.el8_1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-loki-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-loki-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.2.2-7.el8_1?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"product": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"product_id": "grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.2.2-7.el8_1?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.2.2-7.el8_1?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"product": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"product_id": "grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.2.2-7.el8_1?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-loki-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-loki-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-stackdriver-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.2.2-7.el8_1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"product": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"product_id": "grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.2.2-7.el8_1?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-graphite-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-loki-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-loki-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-mssql-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-mysql-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-postgres-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.2.2-7.el8_1?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"product": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"product_id": "grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.2.2-7.el8_1?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.2.2-7.el8_1.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.src"
},
"product_reference": "grafana-0:6.2.2-7.el8_1.src",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-graphite-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-loki-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-loki-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-loki-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-mssql-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-mysql-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-postgres-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.aarch64"
},
"product_reference": "grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le"
},
"product_reference": "grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.s390x"
},
"product_reference": "grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.2.2-7.el8_1.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.1)",
"product_id": "AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.x86_64"
},
"product_reference": "grafana-stackdriver-0:6.2.2-7.el8_1.x86_64",
"relates_to_product_reference": "AppStream-8.1.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39226",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2021-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2011063"
}
],
"notes": [
{
"category": "description",
"text": "An authentication bypass was found in grafana. An attacker on the network is able to view and delete snapshots by accessing a literal path.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Snapshot authentication bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), Red Hat Advanced Cluster Management for Kubernetes (RHACM), and OpenShift ServiceMesh (OSSM) the grafana components are protected by OpenShift OAuth that reduces the impact of this flaw to Moderate. Access to the grafana panel where snapshots can be created requires admin permissions. Additionally snapshots by default are not available to unauthenticated users and don\u0027t contain sensitive data.\n\nSince snapshots by default are not available to unauthenticated users and don\u0027t contain sensitive data, impact has been lowered for Red Hat Gluster Storage 3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.src",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39226"
},
{
"category": "external",
"summary": "RHBZ#2011063",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011063"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39226",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39226"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/",
"url": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-10-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-12T10:48:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.src",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3769"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.src",
"AppStream-8.1.0.Z.EUS:grafana-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-azure-monitor-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-cloudwatch-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-debuginfo-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-elasticsearch-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-graphite-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-influxdb-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-loki-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-mssql-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-mysql-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-opentsdb-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-postgres-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-prometheus-0:6.2.2-7.el8_1.x86_64",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.aarch64",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.ppc64le",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.s390x",
"AppStream-8.1.0.Z.EUS:grafana-stackdriver-0:6.2.2-7.el8_1.x86_64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-08-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Snapshot authentication bypass"
}
]
}
RHSA-2021:3770
Vulnerability from csaf_redhat - Published: 2021-10-12 10:52 - Updated: 2025-11-21 18:25Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: Snapshot authentication bypass (CVE-2021-39226)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An authentication bypass was found in grafana. An attacker on the network is able to view and delete snapshots by accessing a literal path.
7.3 (High)
Affected products
Fixed
57 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.x86_64 | — |
Vendor Fix
fix
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 8.2 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: Snapshot authentication bypass (CVE-2021-39226)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3770",
"url": "https://access.redhat.com/errata/RHSA-2021:3770"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2011063",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011063"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3770.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2025-11-21T18:25:33+00:00",
"generator": {
"date": "2025-11-21T18:25:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2021:3770",
"initial_release_date": "2021-10-12T10:52:17+00:00",
"revision_history": [
{
"date": "2021-10-12T10:52:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-10-12T10:52:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:25:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product": {
"name": "Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_eus:8.2::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.3.6-3.el8_2.src",
"product": {
"name": "grafana-0:6.3.6-3.el8_2.src",
"product_id": "grafana-0:6.3.6-3.el8_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.3.6-3.el8_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-loki-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-loki-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.3.6-3.el8_2?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"product": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"product_id": "grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.3.6-3.el8_2?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.3.6-3.el8_2?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"product": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"product_id": "grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.3.6-3.el8_2?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-loki-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-loki-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-stackdriver-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.3.6-3.el8_2?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"product": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"product_id": "grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.3.6-3.el8_2?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-azure-monitor@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-cloudwatch@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-elasticsearch@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-graphite-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-graphite-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-graphite@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-influxdb@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-loki-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-loki-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-loki-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-loki@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-mssql-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-mssql-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mssql@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-mysql-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-mysql-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-mysql@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-opentsdb@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-postgres-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-postgres-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-postgres@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-prometheus@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-stackdriver@6.3.6-3.el8_2?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"product": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"product_id": "grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@6.3.6-3.el8_2?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.3.6-3.el8_2.src as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.src"
},
"product_reference": "grafana-0:6.3.6-3.el8_2.src",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-graphite-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-graphite-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-influxdb-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-loki-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-loki-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-loki-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-loki-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-mssql-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mssql-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-mysql-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-mysql-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-opentsdb-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-postgres-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-postgres-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-prometheus-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.aarch64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.aarch64"
},
"product_reference": "grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le"
},
"product_reference": "grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.s390x as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.s390x"
},
"product_reference": "grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-stackdriver-0:6.3.6-3.el8_2.x86_64 as a component of Red Hat Enterprise Linux AppStream EUS (v. 8.2)",
"product_id": "AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.x86_64"
},
"product_reference": "grafana-stackdriver-0:6.3.6-3.el8_2.x86_64",
"relates_to_product_reference": "AppStream-8.2.0.Z.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39226",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2021-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2011063"
}
],
"notes": [
{
"category": "description",
"text": "An authentication bypass was found in grafana. An attacker on the network is able to view and delete snapshots by accessing a literal path.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Snapshot authentication bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), Red Hat Advanced Cluster Management for Kubernetes (RHACM), and OpenShift ServiceMesh (OSSM) the grafana components are protected by OpenShift OAuth that reduces the impact of this flaw to Moderate. Access to the grafana panel where snapshots can be created requires admin permissions. Additionally snapshots by default are not available to unauthenticated users and don\u0027t contain sensitive data.\n\nSince snapshots by default are not available to unauthenticated users and don\u0027t contain sensitive data, impact has been lowered for Red Hat Gluster Storage 3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.src",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39226"
},
{
"category": "external",
"summary": "RHBZ#2011063",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011063"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39226",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39226"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/",
"url": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-10-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-12T10:52:17+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.src",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3770"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.src",
"AppStream-8.2.0.Z.EUS:grafana-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-azure-monitor-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-cloudwatch-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-debuginfo-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-elasticsearch-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-graphite-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-influxdb-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-loki-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-mssql-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-mysql-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-opentsdb-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-postgres-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-prometheus-0:6.3.6-3.el8_2.x86_64",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.aarch64",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.ppc64le",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.s390x",
"AppStream-8.2.0.Z.EUS:grafana-stackdriver-0:6.3.6-3.el8_2.x86_64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-08-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Snapshot authentication bypass"
}
]
}
RHSA-2021:3771
Vulnerability from csaf_redhat - Published: 2021-10-12 11:01 - Updated: 2025-11-21 18:25Summary
Red Hat Security Advisory: grafana security update
Severity
Important
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: Snapshot authentication bypass (CVE-2021-39226)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An authentication bypass was found in grafana. An attacker on the network is able to view and delete snapshots by accessing a literal path.
7.3 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.x86_64 | — |
Vendor Fix
fix
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: Snapshot authentication bypass (CVE-2021-39226)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:3771",
"url": "https://access.redhat.com/errata/RHSA-2021:3771"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2011063",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011063"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3771.json"
}
],
"title": "Red Hat Security Advisory: grafana security update",
"tracking": {
"current_release_date": "2025-11-21T18:25:33+00:00",
"generator": {
"date": "2025-11-21T18:25:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2021:3771",
"initial_release_date": "2021-10-12T11:01:32+00:00",
"revision_history": [
{
"date": "2021-10-12T11:01:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-10-12T11:01:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:25:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:8::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.3.6-3.el8_4.src",
"product": {
"name": "grafana-0:7.3.6-3.el8_4.src",
"product_id": "grafana-0:7.3.6-3.el8_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.3.6-3.el8_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.3.6-3.el8_4.aarch64",
"product": {
"name": "grafana-0:7.3.6-3.el8_4.aarch64",
"product_id": "grafana-0:7.3.6-3.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.3.6-3.el8_4?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"product": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"product_id": "grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@7.3.6-3.el8_4?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.3.6-3.el8_4.ppc64le",
"product": {
"name": "grafana-0:7.3.6-3.el8_4.ppc64le",
"product_id": "grafana-0:7.3.6-3.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.3.6-3.el8_4?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"product": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"product_id": "grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@7.3.6-3.el8_4?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.3.6-3.el8_4.x86_64",
"product": {
"name": "grafana-0:7.3.6-3.el8_4.x86_64",
"product_id": "grafana-0:7.3.6-3.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.3.6-3.el8_4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.x86_64",
"product": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.x86_64",
"product_id": "grafana-debuginfo-0:7.3.6-3.el8_4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@7.3.6-3.el8_4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:7.3.6-3.el8_4.s390x",
"product": {
"name": "grafana-0:7.3.6-3.el8_4.s390x",
"product_id": "grafana-0:7.3.6-3.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@7.3.6-3.el8_4?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"product": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"product_id": "grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@7.3.6-3.el8_4?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.3.6-3.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.aarch64"
},
"product_reference": "grafana-0:7.3.6-3.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.3.6-3.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.ppc64le"
},
"product_reference": "grafana-0:7.3.6-3.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.3.6-3.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.s390x"
},
"product_reference": "grafana-0:7.3.6-3.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.3.6-3.el8_4.src as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.src"
},
"product_reference": "grafana-0:7.3.6-3.el8_4.src",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:7.3.6-3.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.x86_64"
},
"product_reference": "grafana-0:7.3.6-3.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.aarch64"
},
"product_reference": "grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le"
},
"product_reference": "grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.s390x as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.s390x"
},
"product_reference": "grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:7.3.6-3.el8_4.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 8)",
"product_id": "AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.x86_64"
},
"product_reference": "grafana-debuginfo-0:7.3.6-3.el8_4.x86_64",
"relates_to_product_reference": "AppStream-8.4.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-39226",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2021-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2011063"
}
],
"notes": [
{
"category": "description",
"text": "An authentication bypass was found in grafana. An attacker on the network is able to view and delete snapshots by accessing a literal path.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Snapshot authentication bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP), Red Hat Advanced Cluster Management for Kubernetes (RHACM), and OpenShift ServiceMesh (OSSM) the grafana components are protected by OpenShift OAuth that reduces the impact of this flaw to Moderate. Access to the grafana panel where snapshots can be created requires admin permissions. Additionally snapshots by default are not available to unauthenticated users and don\u0027t contain sensitive data.\n\nSince snapshots by default are not available to unauthenticated users and don\u0027t contain sensitive data, impact has been lowered for Red Hat Gluster Storage 3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.src",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-39226"
},
{
"category": "external",
"summary": "RHBZ#2011063",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011063"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-39226",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39226"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39226"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/",
"url": "https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-10-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2021-10-12T11:01:32+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.src",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:3771"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.src",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-0:7.3.6-3.el8_4.x86_64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.aarch64",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.ppc64le",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.s390x",
"AppStream-8.4.0.Z.MAIN.EUS:grafana-debuginfo-0:7.3.6-3.el8_4.x86_64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-08-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Snapshot authentication bypass"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…