| Vulnerability Name: | CVE-2021-43798 (CCN-214666) | ||||||||||||||||||||||||
| Assigned: | 2021-12-07 | ||||||||||||||||||||||||
| Published: | 2021-12-07 | ||||||||||||||||||||||||
| Updated: | 2022-04-12 | ||||||||||||||||||||||||
| Summary: | Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline. | ||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
6.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C)
| ||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||||||||||||||
| Vulnerability Type: | CWE-22 | ||||||||||||||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-43798 Source: MISC Type: Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html Source: MISC Type: Exploit, Third Party Advisory, VDB Entry http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html Source: MLIST Type: Mailing List, Patch, Third Party Advisory [oss-security] 20211209 CVE-2021-43798 Grafana directory traversal Source: MLIST Type: Mailing List, Patch, Third Party Advisory [oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files Source: XF Type: UNKNOWN grafana-cve202143798-dir-traversal(214666) Source: MISC Type: Patch, Third Party Advisory https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce Source: CCN Type: Grafana GIT Repository Grafana path traversal Source: CONFIRM Type: Patch, Third Party Advisory https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p Source: CONFIRM Type: Vendor Advisory https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ Source: CCN Type: Packet Storm Security [12-08-2021] Grafana Arbitrary File Reading Source: CCN Type: Packet Storm Security [12-09-2021] Grafana 8.3.0 Directory Traversal / Arbitrary File Read Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20211229-0004/ Source: EXPLOIT-DB Type: EXPLOIT Offensive Security Exploit Database [12-09-2021] | ||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||