CVE-2021-43798
📋 TL;DR
CVE-2021-43798 is a directory traversal vulnerability in Grafana that allows attackers to read arbitrary files on the server by exploiting a flaw in the plugin URL handling. This affects self-hosted Grafana installations running vulnerable versions, potentially exposing sensitive configuration files, credentials, or other local data. Grafana Cloud instances are not affected.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like /etc/passwd, Grafana configuration files containing database credentials, or SSH keys, leading to lateral movement and data exfiltration.
Likely Case
Unauthorized access to sensitive configuration files, potentially exposing database credentials, API keys, or other secrets stored in readable files on the Grafana server.
If Mitigated
Limited impact with proper network segmentation, file system permissions restricting Grafana's access, and monitoring for suspicious file access patterns.
🎯 Exploit Status
Multiple public exploit scripts and detailed technical analysis available. Exploitation requires no authentication and uses simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.7, 8.1.8, 8.2.7, or 8.3.1
Vendor Advisory: https://grafana.com/blog/2021/12/10/grafana-8.3.1-released-with-high-severity-security-fix/
Restart Required: Yes
Instructions:
1. Identify current Grafana version. 2. Backup configuration and data. 3. Upgrade to patched version using package manager (apt/yum) or download from Grafana website. 4. Restart Grafana service. 5. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock malicious requests to the vulnerable endpoint using regex patterns
WAF specific - configure rule to block requests matching pattern: ^/public/plugins/[^/]+/.*\.\./
Reverse Proxy Blocking
linuxConfigure nginx or Apache to block traversal attempts
location ~ ^/public/plugins/[^/]+/(.*\.\./) { return 403; }
🧯 If You Can't Patch
- Implement network segmentation to restrict Grafana server access to trusted networks only
- Apply strict file system permissions to limit Grafana process access to sensitive files
🔍 How to Verify
Check if Vulnerable:
Check Grafana version: if between 8.0.0-beta1 and 8.3.0 (excluding 8.0.7, 8.1.8, 8.2.7, 8.3.1), you are vulnerable. Test with curl: curl -v 'http://grafana-host/public/plugins/alertlist/../../../../../../../../etc/passwd'Check Version:
grafana-server -v or check /usr/share/grafana/VERSION fileVerify Fix Applied:
After patching, the same curl command should return 404 or proper error instead of file contents. Verify version shows patched release.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /public/plugins/ with ../ sequences in URL
- Unusual file access patterns from Grafana process
Network Indicators:
- HTTP requests containing /public/plugins/ followed by directory traversal sequences (../)
SIEM Query:
source="grafana" AND url="/public/plugins/*" AND (url="*../*" OR status=200 AND bytes>1000)🔗 References
- http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html
- http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html
- http://www.openwall.com/lists/oss-security/2021/12/09/2
- http://www.openwall.com/lists/oss-security/2021/12/10/4
- https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
- https://security.netapp.com/advisory/ntap-20211229-0004/
- http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html
- http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html
- http://www.openwall.com/lists/oss-security/2021/12/09/2
- http://www.openwall.com/lists/oss-security/2021/12/10/4
- https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
- https://security.netapp.com/advisory/ntap-20211229-0004/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43798
