Grafana - Arbitrary File Read CVE-2021-43798
- Severity
- CVSSv3 Score
- 7.5
- Vulnerability description
Grafana server is affected by an Arbitrary File Read through a Path Traversal vulnerability, located in the /public/plugins/ endpoint. The root cause of this vulnerability consists in improper path normalization. All the versions affected are between 8.0.0-beta1 and 8.3.0.
- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.
- Exploit capabilities
Sniper can read arbitrary files from the target system and extract them as evidence.
- Recommendation
Upgrade the Grafana server to the latest version or to a version higher or equal than 8.3.1, 8.2.7, 8.1.8, and 8.0.7.
- References
- https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/https://nvd.nist.gov/vuln/detail/CVE-2021-43798
- Codename
- Not available
- Detectable with
- Network Scanner
- Scan engine
- Sniper
- Exploitable with Sniper
- Yes
- CVE Published
- Nov 16, 2021
- Detection added at
- Software Type
- Monitoring system
- Vendor
- Grafana
- Product
- Labs