CVE-2021-27358: Denial of service in Grafana
6.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98694%
CWE
Published
2/15/2022
Updated
10/2/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:R
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/grafana/grafana | go | >= 6.7.3, < 7.4.2 | 7.4.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper authentication handling in the SnapshotPublicModeOrSignedIn middleware. The patch shows:
- Removal of error-prone middleware chaining (c.Invoke(ReqSignedIn))
- Direct check of c.IsSignedIn instead of relying on middleware side effects
- Added test cases in auth_test.go that verify 401 responses when unauthenticated
- CWE-306 (Missing Authentication) directly maps to this authentication bypass scenario
- The function controls access to snapshot creation API endpoints mentioned in advisory descriptions
- Commit message explicitly states 'Disallow anonymous user to create snapshots' as the fix