Per report to tech@ from https://mobile.twitter.com/dgirlwhohacks
Description
Description
Event Timeline
Comment Actions
southparkfan@test3:~$ python3 cve.py --url 'https://grafana.miraheze.org' [-] Testing https://grafana.miraheze.org... [-] Status: 200 [-] Checking for version... [-] Grafana version appears to be: 7.4.1 [!] Version seems to indicate it's probably not vulnerable. [-] Checking if snapshot api requires authentiation... [+] Snapshot endpoint doesn't seem to require authentication! Host may be vulnerable.
Comment Actions
- The API endpoint is open
- Our Grafana version is on a patched version
- Only impact on A, not C/I, Grafana is not critical
- However, taking into account that Grafana resides on a system where critical systems (Icinga) are hosted..
Comment Actions
We've sent off an email to grafana and we've blocked the url. We are running a version that is supposedly should be patched but I can still reproduce it.
Comment Actions
Proper fix is available with https://github.com/grafana/grafana/pull/31263
Opening to track deployment of it.
Comment Actions
WMF have still kept the stop gap and it's an extra layer so worth keeping as well still.
Comment Actions
Will make public once WMF confirm they have no objections too as they've been involved in a lot.