CVE-2021-39226 Discovered on endpoint https://██████/api/snapshots

**Description:** CVE-2021-39226 Discovered on endpoint https://███████/api/snapshots/:key where this issue poses a significant risk to the confidentiality and integrity of snapshot data, allowing both authenticated and unauthenticated users unauthorized access and deletion capabilities. ## References https://nvd.nist.gov/vuln/detail/CVE-2021-39226 ## Impact "In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.". Source: https://nvd.nist.gov/vuln/detail/CVE-2021-39226 ## System Host(s) ██████ ## Affected Product(s) and Version(s) Grafana ## CVE Numbers CVE-2021-39226 ## Steps to Reproduce Visit the endpoint 'https://████/api/snapshots' and use '/:key' and to delete visit 'https://█████/api/snapshots-delete' and use '/:deleteKey' to delete and view all snapshot data. ## Suggested Mitigation/Remediation Actions