This needs a closer look,

We applied the Grafana update which was supposed to fix this back in September 2019 in https://phabricator.wikimedia.org/T231790.

Grafana Labs fixed this in https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4 which introduced a new configuration directive public_mode which defaults to "false". We don't apply this setting either in our puppetised grafana.ini, so we should be using the implicit default of "false" already: https://grafana.com/docs/grafana/latest/administration/configuration/

Also reproducible with grafana2001, which is running the latest 7.4.1 upstream.

To rule out some incorrect default option parsing I explicitly added "public_mode = false" to the [snapshots] section of grafana.ini, but that doesn't change anything either.

We have just applied a stopgap with https://gerrit.wikimedia.org/r/c/operations/puppet/+/664224 in the form of blocking access to POST /api/snapshots for the public vhost (both grafana.w.o and grafana-labs.w.o)

Interesting comeback of the CVE. Anyway, thanks for the tip @RhinosF1

@Paladox had already reached out to security@grafana and they stated:

You have anonymous access enabled, which means there is anonymous access enabled to the snapshot API. If you require anonymous access you should run Grafana behind an reverse proxy, and filter our requests to the snapshot endpoint.

This is a little surprising since it doesn't reflect the authorization role assigned in our config (which is the read-only "Viewer") and neither the original announcement nor the docs for "public_mode" at https://grafana.com/docs/grafana/latest/administration/configuration/ mentioned the latter part. But that means that 664224 is doing the right thing and can stay as a permanent setting.

I'll also prepare a PR for Grafana to update the docs for "public_mode". While the amount of intentionally public Grafana installations is probably very low, I'm sure others ran into the same issue.

I sent them a follow up email and they replied with:

Hi, 
public_mode enables snapshots anonymously when running with GF_AUTH_ANONYMOUS_ENABLED=false, 
the inverse is not true, that setting public_mode=false blocks access to the /snapshot endpoint even when GF_AUTH_ANONYMOUS_ENABLED=true 

Having said that, we're looking into the snapshot permissions again at the moment. I will get back to you when I have an answer.

FTR anonymous users can't create snapshots anymore as of Grafana 7.4.2 (https://github.com/grafana/grafana/pull/31263). I've imported that version internally and will upgrade

@Paladox: Can you get this pushed to us as well?

Thanks for all the help in investigating this.

In T274736#6840161, @RhinosF1 wrote:

@Paladox: Can you get this pushed to us as well?

Done by @Reception123.

Should be good to make public from my side and will do the same with our task unless anyone has any concerns

Many thanks to all for this. I was handled impeccably by all parties involved

I reviewed this task for completeness and PII. Making public now per request from @RhinosF1.

Added attribution per request of researcher.

This eventually got assigned CVE-2021-27358.