Grafana Arbitrary Read File Vulnerability (CVE-2021-43798) Alert

by do son · Published December 7, 2021 · Updated December 7, 2021

Grafana is an open-source visualization and analytics platform that unifies data sets across your company into an interactive diagnostic workspace. Grafana is built on a plug-in architecture that allows you to interact with the underlying data sources without creating data copies. Create, explore, and share dashboards with your team and foster a data-driven culture: Visualize, Dynamic Dashboards, Explore Metrics, Explore Logs, Alerting, Mixed Data Sources.

On December 4, 2021, a security researcher revealed an arbitrary file reading vulnerability in Grafana on the Internet. This is an 0-day vulnerability. Unauthorized attackers can use this vulnerability to obtain sensitive files on the server.

There is currently no related patch. In this regard, we recommend that users do self-inspection and prevent to avoid hacker attacks.

Update: December, 12th

The vulnerability CVE is CVE-2021-43798 with a CVSS score of 7.5.

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

<grafana_host_url>/public/plugins/alertlist/

<grafana_host_url>/public/plugins/annolist/

<grafana_host_url>/public/plugins/barchart/

<grafana_host_url>/public/plugins/bargauge/

<grafana_host_url>/public/plugins/candlestick/

<grafana_host_url>/public/plugins/cloudwatch/

<grafana_host_url>/public/plugins/dashlist/

<grafana_host_url>/public/plugins/elasticsearch/

<grafana_host_url>/public/plugins/gauge/

<grafana_host_url>/public/plugins/geomap/

<grafana_host_url>/public/plugins/gettingstarted/

<grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/

<grafana_host_url>/public/plugins/graph/

<grafana_host_url>/public/plugins/heatmap/

<grafana_host_url>/public/plugins/histogram/

<grafana_host_url>/public/plugins/influxdb/

<grafana_host_url>/public/plugins/jaeger/

<grafana_host_url>/public/plugins/logs/

<grafana_host_url>/public/plugins/loki/

<grafana_host_url>/public/plugins/mssql/

<grafana_host_url>/public/plugins/mysql/

<grafana_host_url>/public/plugins/news/

<grafana_host_url>/public/plugins/nodeGraph/

<grafana_host_url>/public/plugins/opentsdb

<grafana_host_url>/public/plugins/piechart/

<grafana_host_url>/public/plugins/pluginlist/

<grafana_host_url>/public/plugins/postgres/

<grafana_host_url>/public/plugins/prometheus/

<grafana_host_url>/public/plugins/stackdriver/

<grafana_host_url>/public/plugins/stat/

<grafana_host_url>/public/plugins/state-timeline/

<grafana_host_url>/public/plugins/status-history/

<grafana_host_url>/public/plugins/table/

<grafana_host_url>/public/plugins/table-old/

<grafana_host_url>/public/plugins/tempo/

<grafana_host_url>/public/plugins/testdata/

<grafana_host_url>/public/plugins/text/

<grafana_host_url>/public/plugins/timeseries/

<grafana_host_url>/public/plugins/welcome/

<grafana_host_url>/public/plugins/zipkin/