Vulnerability CVE-2021-43798: Information

Description

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-43798
Published: Dec. 7, 2021
Modified: April 12, 2022
Error type identifier: CWE-22

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
grafanasisyphus8.1.8-alt110.2.2-alt1.1ALT-PU-2021-3505-1291699Fixed
grafanap108.1.8-alt110.2.2-alt1.1ALT-PU-2021-3543-1291697Fixed
grafanac10f18.1.8-alt110.2.2-alt1.1ALT-PU-2021-3543-1291697Fixed
grafanac9f28.1.8-alt19.5.5-alt1ALT-PU-2022-1249-1293762Fixed
grafanap118.1.8-alt110.2.2-alt1.1ALT-PU-2021-3505-1291699Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
  • Patch
  • Third Party Advisory
https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce
  • Patch
  • Third Party Advisory
http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html
  • Third Party Advisory
  • VDB Entry
https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
  • Vendor Advisory
http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html
  • Exploit
  • Third Party Advisory
  • VDB Entry
[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal
  • Mailing List
  • Patch
  • Third Party Advisory
[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files
  • Mailing List
  • Patch
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20211229-0004/
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
      Start including
      8.2.0
      End excliding
      8.2.7
      cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
      Start including
      8.1.0
      End excliding
      8.1.8
      cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
      Start including
      8.0.1
      End excliding
      8.0.7
      cpe:2.3:a:grafana:grafana:8.3.0:*:*:*:*:*:*:*
      cpe:2.3:a:grafana:grafana:8.0.0:beta1:*:*:*:*:*:*
      cpe:2.3:a:grafana:grafana:8.0.0:beta2:*:*:*:*:*:*
      cpe:2.3:a:grafana:grafana:8.0.0:beta3:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top