Grafana - Arbitrary File Read (CVE-2021-43798)

Grafana server is affected by an Arbitrary File Read through a Path Traversal vulnerability, located in the /public/plugins/ endpoint. The root cause of this vulnerability consists in improper path normalization. All the versions affected are between 8.0.0-beta1 and 8.3.0.

Sniper can read arbitrary files from the target system and extract them as evidence.

The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.

Upgrade the Grafana server to the latest version or to a version higher or equal than 8.3.1, 8.2.7, 8.1.8, and 8.0.7.

https://nvd.nist.gov/vuln/detail/CVE-2021-43798

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/