Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Critical Vulnerability in Grafana product

Issued: 
Thursday, 9 December, 2021
Last Revision: 
Thursday, 9 December, 2021
Vendor: 
Grafana Labs
Product: 
Grafana
Severity Level: 
High
Summary: 

Grafana Labs has released an emergency security update to patch vulnerability CVE-2021-43798 .

 

The Grafana dashboard is used for monitoring and aggregating network logs and other parameters.

 

This vulnerability is categorized as path traversal attack. An attacker can read files outside of Grafana's root folder using a path traversal vulnerability.

 

 

CVE/Vulnerability

 

Description 

CVSS3.0 Score

CVE-2021-43798

 

Path traversal attack

                7.5

 

                                                                                                       Table 1: Vulnerability details 

 

CVE/Vulnerability 

Affected Product(s)

CVE-2021-43798

                               All Grafana self-hosted servers running 8.x versions

 

                                                                                                      Table 2: Vulnerable versions

Recommendation: 

We encourage entities to upgrade all Grafana 8.x instance to Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7. 

References: 
An update on 0day CVE-2021-43798: Grafana directory traversal
Grafana releases security patch after exploit for severe bug goes public