Grafana Arbitrary Read File Vulnerability (CVE-2021-43798) Alert
Grafana is an open-source visualization and analytics platform that unifies data sets across your company into an interactive diagnostic workspace. Grafana is built on a plug-in architecture that allows you to interact with the underlying data sources without creating data copies. Create, explore, and share dashboards with your team and foster a data-driven culture: Visualize, Dynamic Dashboards, Explore Metrics, Explore Logs, Alerting, Mixed Data Sources.
On December 4, 2021, a security researcher revealed an arbitrary file reading vulnerability in Grafana on the Internet. This is an 0-day vulnerability. Unauthorized attackers can use this vulnerability to obtain sensitive files on the server.
There is currently no related patch. In this regard, we recommend that users do self-inspection and prevent to avoid hacker attacks.
Update: December, 12th
The vulnerability CVE is CVE-2021-43798 with a CVSS score of 7.5.
The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.
Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:
- <grafana_host_url>/public/plugins/alertlist/
- <grafana_host_url>/public/plugins/annolist/
- <grafana_host_url>/public/plugins/barchart/
- <grafana_host_url>/public/plugins/bargauge/
- <grafana_host_url>/public/plugins/candlestick/
- <grafana_host_url>/public/plugins/cloudwatch/
- <grafana_host_url>/public/plugins/dashlist/
- <grafana_host_url>/public/plugins/elasticsearch/
- <grafana_host_url>/public/plugins/gauge/
- <grafana_host_url>/public/plugins/geomap/
- <grafana_host_url>/public/plugins/gettingstarted/
- <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
- <grafana_host_url>/public/plugins/graph/
- <grafana_host_url>/public/plugins/heatmap/
- <grafana_host_url>/public/plugins/histogram/
- <grafana_host_url>/public/plugins/influxdb/
- <grafana_host_url>/public/plugins/jaeger/
- <grafana_host_url>/public/plugins/logs/
- <grafana_host_url>/public/plugins/loki/
- <grafana_host_url>/public/plugins/mssql/
- <grafana_host_url>/public/plugins/mysql/
- <grafana_host_url>/public/plugins/news/
- <grafana_host_url>/public/plugins/nodeGraph/
- <grafana_host_url>/public/plugins/opentsdb
- <grafana_host_url>/public/plugins/piechart/
- <grafana_host_url>/public/plugins/pluginlist/
- <grafana_host_url>/public/plugins/postgres/
- <grafana_host_url>/public/plugins/prometheus/
- <grafana_host_url>/public/plugins/stackdriver/
- <grafana_host_url>/public/plugins/stat/
- <grafana_host_url>/public/plugins/state-timeline/
- <grafana_host_url>/public/plugins/status-history/
- <grafana_host_url>/public/plugins/table/
- <grafana_host_url>/public/plugins/table-old/
- <grafana_host_url>/public/plugins/tempo/
- <grafana_host_url>/public/plugins/testdata/
- <grafana_host_url>/public/plugins/text/
- <grafana_host_url>/public/plugins/timeseries/
- <grafana_host_url>/public/plugins/welcome/
- <grafana_host_url>/public/plugins/zipkin/
Affected version
- Grafana 8.0.0-beta1 to 8.3.0
PoC
- $HOST/public/plugins/graph/../../../../../../../../etc/passwd
Solution
Please update Grafana to version 8.3.1, 8.2.7, 8.1.8, and 8.0.7.