Bug 2030422 (CVE-2021-43798)

Summary: CVE-2021-43798 grafana: path traversal vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, alcohan, amctagga, anharris, anpicker, aoconnor, aos-bugs, bmontgom, bniver, dfreiber, drow, eparis, flucifre, gmeno, gparvin, grafana-maint, hvyas, jbalunas, jburrell, jkurik, jwendell, lchilton, mbenjamin, mhackett, nathans, njean, nstielau, ntait, owatkins, pahickey, rcernich, rhaigner, rogbas, sfeifer, sostapov, spasquie, sponnaga, stcannon, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 8.3.1, grafana 8.2.7, grafana 8.1.8, grafana 8.0.7 Doc Type: If docs needed, set a value
Doc Text:
A directory path traversal vulnerability was found in Grafana. This flaw allows an attacker to obtain read access to the local files due to a lack of path normalization in the /public/plugins// URL.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2032145    
Bug Blocks: 2030423    

Description Guilherme de Almeida Suckevicz 2021-12-08 18:13:15 UTC 
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

Reference:
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p

Upstream patch:
https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce
Comment 1 Avinash Hanwate 2021-12-09 11:10:51 UTC 
Gluster uses grafana v5.2.4, which is not affected for this vulnerability.
Comment 2 Przemyslaw Roguski 2021-12-09 13:08:43 UTC 
This vulnerability affects Grafana versions from v8.0.0-beta1 through v8.3.0.
Comment 5 juneau 2021-12-14 20:07:20 UTC 
OSD notaffected per parent OCP.