PT-2021-23954 · Grafana+2 · Grafana+2

Published

2021-12-10

·

Updated

2024-06-15

·

CVE-2021-43815

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions: Grafana versions prior to 8.3.2 Grafana versions prior to 7.5.12
Description: The issue is related to a directory traversal vulnerability that allows access to arbitrary .csv files. This vulnerability is limited in scope and only affects instances with the TestData DB data source enabled and configured. It allows authenticated users to access files with the .csv extension. A workaround is available for users who cannot upgrade, which involves running a reverse proxy in front of Grafana to normalize the PATH of the request.
Recommendations: For versions prior to 8.3.2, update to version 8.3.2 or later to resolve the issue. For versions prior to 7.5.12, update to version 7.5.12 or later to resolve the issue. As a temporary workaround, consider running a reverse proxy in front of Grafana that normalizes the PATH of the request to mitigate the vulnerability. The proxy must also be able to handle URL encoded paths.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2022-1177
ALT-PU-2022-1806
ALT-PU-2022-1820
ALT-PU-2023-4567
BIT-GRAFANA-2021-43815
CVE-2021-43815
GHSA-7533-C8QV-JM9M
OPENSUSE-SU-2022_1396-1
OPENSUSE-SU-2022_4428-1
OPENSUSE-SU-2022_4437-1
OPENSUSE-SU-2024:13586-1
SUSE-FU-2022:1419-1
SUSE-SU-2022:0751-1
SUSE-SU-2022:1396-1
SUSE-SU-2022:2134-1
SUSE-SU-2022:3676-1
SUSE-SU-2022:4428-1
SUSE-SU-2022:4437-1
SUSE-SU-2022:4439-1
SUSE-SU-2024:0191-1
SUSE-SU-2024:0196-1
SUSE-SU-2024:0486-1
SUSE-SU-2024:0487-1

Affected Products

Alt Linux
Grafana
Suse