Hey thanks for the response can I get any kind of token of appreciation for my work if possible? Best, Dgirlwhohacks On Sun, 28 Feb, 2021, 9:16 pm Jeremy Stanley, <fungi@yuggoth.org> wrote:
On 2021-02-28 17:03:13 +0530 (+0530), Divya Singh wrote:
Any update on this? [...]
Thanks for the reminder, subsequent discussion ended up happening in IRC and we neglected to follow up to this mailing list thread.
Roughly 22 hours after you contacted this discussion list (some of the delay was waiting on list moderators like me to approve the message), we merged https://review.opendev.org/775548 to block access to any paths starting with "/api/snapshots" after confirming that the latest Grafana release was still vulnerable for sites like ours configured with anonymous access. At the same time, we also reached out to the Grafana maintainers privately via encrypted E-mail to let them know about this alternative avenue to the vulnerability.
A couple of days later they pushed and merged https://github.com/grafana/grafana/pull/31263 to correct it, cherry-picking a backport of it to the v7.4.x series in https://github.com/grafana/grafana/pull/31266 and immediately releasing that as v7.4.2. The next day we merged https://review.opendev.org/776553 to upgrade our deployment to the new fixed version, but kept access to /api/snapshots blocked as we treat the service as a read-only interface anyway (configured and managed exclusively through automated orchestration tools driven by code-reviewed Git commits).
Thanks again for bringing this to our attention! -- Jeremy Stanley