VuXML: Grafana -- Path Traversal

VuXML ID	e33880ed-5802-11ec-8398-6c3be5272acd
Discovery	2021-12-03
Entry	2021-12-11

Grafana Labs reports:

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

<grafana_host_url>/public/plugins/alertlist/

<grafana_host_url>/public/plugins/annolist/

<grafana_host_url>/public/plugins/barchart/

<grafana_host_url>/public/plugins/bargauge/

<grafana_host_url>/public/plugins/candlestick/

<grafana_host_url>/public/plugins/cloudwatch/

<grafana_host_url>/public/plugins/dashlist/

<grafana_host_url>/public/plugins/elasticsearch/

<grafana_host_url>/public/plugins/gauge/

<grafana_host_url>/public/plugins/geomap/

<grafana_host_url>/public/plugins/gettingstarted/

<grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/

<grafana_host_url>/public/plugins/graph/

<grafana_host_url>/public/plugins/heatmap/

<grafana_host_url>/public/plugins/histogram/

<grafana_host_url>/public/plugins/influxdb/

<grafana_host_url>/public/plugins/jaeger/

<grafana_host_url>/public/plugins/logs/

<grafana_host_url>/public/plugins/loki/

<grafana_host_url>/public/plugins/mssql/

<grafana_host_url>/public/plugins/mysql/

<grafana_host_url>/public/plugins/news/

<grafana_host_url>/public/plugins/nodeGraph/

<grafana_host_url>/public/plugins/opentsdb

<grafana_host_url>/public/plugins/piechart/

<grafana_host_url>/public/plugins/pluginlist/

<grafana_host_url>/public/plugins/postgres/

<grafana_host_url>/public/plugins/prometheus/

<grafana_host_url>/public/plugins/stackdriver/

<grafana_host_url>/public/plugins/stat/

<grafana_host_url>/public/plugins/state-timeline/

<grafana_host_url>/public/plugins/status-history/

<grafana_host_url>/public/plugins/table/

<grafana_host_url>/public/plugins/table-old/

<grafana_host_url>/public/plugins/tempo/

<grafana_host_url>/public/plugins/testdata/

<grafana_host_url>/public/plugins/text/

<grafana_host_url>/public/plugins/timeseries/

<grafana_host_url>/public/plugins/welcome/

<grafana_host_url>/public/plugins/zipkin/

[source]

CVE Name	CVE-2021-43798
URL	https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

Grafana -- Path Traversal

Details

References