Miggo Logo

CVE-2021-27358: Denial of service in Grafana

6.9

CVSS Score
3.1

Basic Information

EPSS Score
0.98694%
Published
2/15/2022
Updated
10/2/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:R
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago>= 6.7.3, < 7.4.27.4.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper authentication handling in the SnapshotPublicModeOrSignedIn middleware. The patch shows:

  1. Removal of error-prone middleware chaining (c.Invoke(ReqSignedIn))
  2. Direct check of c.IsSignedIn instead of relying on middleware side effects
  3. Added test cases in auth_test.go that verify 401 responses when unauthenticated
  4. CWE-306 (Missing Authentication) directly maps to this authentication bypass scenario
  5. The function controls access to snapshot creation API endpoints mentioned in advisory descriptions
  6. Commit message explicitly states 'Disallow anonymous user to create snapshots' as the fix

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** sn*ps*ot ***tur* in *r***n* ***or* *.*.* **n *llow *n un*ut**nti**t** r*mot* *tt**k*rs to tri***r * **ni*l o* S*rvi** vi* * r*mot* *PI **ll i* * *ommonly us** *on*i*ur*tion is s*t. ### Sp**i*i* *o P**k***s *****t** *it*u*.*om/*r***n*/*r***n*/pk*/

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ut**nti**tion **n*lin* in t** Sn*ps*otPu*li*Mo**OrSi*n**In mi**l*w*r*. T** p*t** s*ows: *. R*mov*l o* *rror-pron* mi**l*w*r* ***inin* (*.Invok*(R*qSi*n**In)) *. *ir**t ****k o* *.IsSi*n**In inst*** o* r*lyin*