CVE Alert: CVE-2021-43798 – grafana – grafana
CVE-2021-43798
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
AI Summary Analysis
Risk verdict
Active exploitation is indicated; treat as a high-priority risk with urgent remediation needed.
Why this matters
The flaw allows remote attackers to read local files on Grafana servers, potentially exposing configuration, credentials, logs or other sensitive data. This can enable follow-on access, data leakage, or broader system compromise and regulatory risk if secrets or patient/customer data are exposed.
Most likely attack path
An unauthenticated attacker can trigger a path traversal via the vulnerable URL pattern under /public/plugins/<pluginid>, over the network. No user interaction is required, and the attack leverages existing plugin paths, making automated scanning feasible. The impact is confined to confidentiality (read of local files) with no persistence or integrity impact in the baseline CVSS, but successful exfiltration of sensitive data could enable further exploitation.
Who is most exposed
On-premises or self-hosted Grafana deployments exposed to the network (behind VPNs or public endpoints) are at greatest risk. Grafana Cloud is not affected, so external cloud instances from that service line face a lower risk profile.
Detection ideas
- Abnormal requests to /public/plugins/ or with path traversal patterns.
- Repeated access attempts to plugin directories from external networks.
- Evidence of local-file reads or unusual error messages referencing file paths.
- Anomalous authentication activity preceding or accompanying such requests.
- WAF or proxy logs showing traversal-like payloads.
Mitigation and prioritisation
- Apply patched versions: 8.0.7, 8.1.8, 8.2.7, or 8.3.1; verify integrity post-update.
- If patching promptly isn’t possible, block or tightly restrict access to the vulnerable endpoints (e.g., tighten plugin URL exposure, add WAF rules to block traversal patterns).
- Enforce network controls: restrict Grafana to trusted networks, disable internet exposure, require VPN/SSO.
- Disable or constrain plugins that are unnecessary or untrusted; review plugin inventory and access rights.
- Enable enhanced logging and alerting for unusual access to public/plugins paths; plan a quick patch window with testing.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
