2030422 – (CVE-2021-43798) CVE-2021-43798 grafana: path traversal vulnerability

Bug 2030422 (CVE-2021-43798) - CVE-2021-43798 grafana: path traversal vulnerability

Summary: CVE-2021-43798 grafana: path traversal vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2021-43798
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2032145
Blocks:	2030423
TreeView+	depends on / blocked

Reported:	2021-12-08 18:13 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-10-25 17:21 UTC (History)
CC List:	29 users (show)
Fixed In Version:	grafana 8.3.1, grafana 8.2.7, grafana 8.1.8, grafana 8.0.7
Doc Type:	If docs needed, set a value
Doc Text:	A directory path traversal vulnerability was found in Grafana. This flaw allows an attacker to obtain read access to the local files due to a lack of path normalization in the /public/plugins// URL.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-08 18:13:15 UTC

Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

Reference:
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p

Upstream patch:
https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce

Comment 1 Avinash Hanwate 2021-12-09 11:10:51 UTC

Gluster uses grafana v5.2.4, which is not affected for this vulnerability.

Comment 2 Przemyslaw Roguski 2021-12-09 13:08:43 UTC

This vulnerability affects Grafana versions from v8.0.0-beta1 through v8.3.0.

Comment 5 juneau 2021-12-14 20:07:20 UTC

OSD notaffected per parent OCP.

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
anharris
anpicker
aos-bugs
bmontgom
bniver
eparis
flucifre
gmeno
gparvin
grafana-maint
hvyas
jburrell
jkurik
jwendell
mbenjamin
mhackett
nathans
njean
nstielau
pahickey
rcernich
sostapov
spasquie
sponnaga
stcannon
twalsh
vereddy
vkumar