// For flags

CVE-2021-43798

Grafana path traversal

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

38
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

Grafana es una plataforma de código abierto para la monitorización y la observación. Grafana versiones 8.0.0-beta1 hasta 8.3.0 (excepto las versiones parcheadas) son vulnerables a un salto de directorio, permitiendo el acceso a archivos locales. La ruta de la URL vulnerable es: "(grafana_host_url)/public/plugins//", donde está el ID del plugin para cualquier plugin instalado. En ningún momento Grafana Cloud ha sido vulnerable. Se aconseja a usuarios que actualicen a las versiones parcheadas 8.0.7, 8.1.8, 8.2.7 o 8.3.1. El aviso de seguridad de GitHub contiene más información sobre las rutas de URL vulnerables, la mitigación y el calendario de divulgación

Grafana versions 8.0.0-beta1 through 8.3.0 prior to 8.0.7, 8.1.8, 8.2.7, or 8.3.1 are vulnerable to directory traversal through the plugin URL. A valid plugin ID is required, but many are installed by default.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2021-12-07 CVE Published
  • 2021-12-07 First Exploit
  • 2024-08-04 CVE Updated
  • 2024-10-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (47)
URL Date SRC
https://github.com/jas502n/Grafana-CVE-2021-43798 2023-02-14
https://www.exploit-db.com/exploits/50581 2021-12-09
https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798 2021-12-11
https://github.com/Mr-xn/CVE-2021-43798 2021-12-07
https://github.com/taythebot/CVE-2021-43798 2021-12-07
https://github.com/zer0yu/CVE-2021-43798 2021-12-07
https://github.com/ScorpionsMAX/CVE-2021-43798-Grafana-POC 2021-12-17
https://github.com/asaotomo/CVE-2021-43798-Grafana-Exp 2021-12-23
https://github.com/z3n70/CVE-2021-43798 2021-12-09
https://github.com/M0ge/CVE-2021-43798-grafana_fileread 2022-01-27
https://github.com/rnsss/CVE-2021-43798-poc 2022-01-07
https://github.com/Mo0ns/Grafana_POC-CVE-2021-43798 2021-12-09
https://github.com/s1gh/CVE-2021-43798 2021-12-15
https://github.com/rodpwn/CVE-2021-43798-mass_scanner 2022-01-11
https://github.com/hupe1980/CVE-2021-43798 2022-10-08
https://github.com/K3ysTr0K3R/CVE-2021-43798-EXPLOIT 2024-03-04
https://github.com/Ryze-T/CVE-2021-43798 2021-12-15
https://github.com/LongWayHomie/CVE-2021-43798 2021-12-22
https://github.com/Sic4rio/Grafana-Decryptor-for-CVE-2021-43798 2024-07-02
https://github.com/nuker/CVE-2021-43798 2023-07-19
https://github.com/MalekAlthubiany/CVE-2021-43798 2024-06-20
https://github.com/lalkaltest/CVE-2021-43798 2021-12-09
https://github.com/katseyres2/CVE-2021-43798 2023-10-26
https://github.com/wagneralves/CVE-2021-43798 2023-12-21
https://github.com/G01d3nW01f/CVE-2021-43798 2023-01-09
https://github.com/light-Life/CVE-2021-43798 2022-01-11
https://github.com/Iris288/CVE-2021-43798 2023-11-21
https://github.com/gps1949/CVE-2021-43798 2021-12-21
https://github.com/ticofookfook/CVE-2021-43798 2024-03-27
https://github.com/topyagyuu/CVE-2021-43798 2024-04-25
https://github.com/gixxyboy/CVE-2021-43798 2021-12-12
https://github.com/k3rwin/CVE-2021-43798-Grafana 2022-03-16
https://github.com/JiuBanSec/Grafana-CVE-2021-43798 2021-12-13
https://github.com/halencarjunior/grafana-CVE-2021-43798 2021-12-21
https://github.com/victorhorowitz/grafana-exploit-CVE-2021-43798 2023-09-03
https://github.com/BJLIYANLIANG/CVE-2021-43798-Grafana-File-Read 2021-12-11
https://github.com/lfz97/CVE-2021-43798-Grafana-File-Read 2021-12-09
http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html 2024-08-04
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.0.1 < 8.0.7
Search vendor "Grafana" for product "Grafana" and version " >= 8.0.1 < 8.0.7"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.1.0 < 8.1.8
Search vendor "Grafana" for product "Grafana" and version " >= 8.1.0 < 8.1.8"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
>= 8.2.0 < 8.2.7
Search vendor "Grafana" for product "Grafana" and version " >= 8.2.0 < 8.2.7"
-
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
8.0.0
Search vendor "Grafana" for product "Grafana" and version "8.0.0"
beta1
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
8.0.0
Search vendor "Grafana" for product "Grafana" and version "8.0.0"
beta2
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
8.0.0
Search vendor "Grafana" for product "Grafana" and version "8.0.0"
beta3
Affected
Grafana
Search vendor "Grafana"
Grafana
Search vendor "Grafana" for product "Grafana"
8.3.0
Search vendor "Grafana" for product "Grafana" and version "8.3.0"
-
Affected