Finding Grafana instances
A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential information or credentials. Tracked as CVE-2021-43798 with a “high” CVSS score of 7.5, this path traversal vulnerability resides in the installed plugins path logic for a Grafana instance (e.g., <grafana_host_url>/public/plugins/<plugin-id>
). Because Grafana installs with plugins by default, Grafana versions v8.0.0-beta1 through v8.3.0 are all vulnerable (Grafana Cloud is reportedly not vulnerable).
This vulnerability was originally disclosed to Grafana on December 3rd (prior to its leak as an 0-day). Grafana made patched versions available the day of the leak and advised anyone running a vulnerable version to update to a patched version as soon as possible. If upgrading isn’t an option, Grafana provides mitigation strategy as well.
As a part of good cyber hygiene, you should shut down public access to Grafana servers (unless it is necessary).
How to find Grafana instances #
From the Asset Inventory, use the following pre-built query to locate potentially vulnerable Grafana instances within your network:
product:grafana

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.


Pearce Barry is a Director of Security Research at runZero. Barry joined runZero in June 2021, working on the Metasploit Project the four years prior. Now, Pearce leads research efforts at runZero, which includes creating and improving fingerprints, adding to protocols, enhancing scanning logic, and writing queries.
Similar Content
November 9, 2023
How to find SysAid Help Desk instances
How to find SysAid Help Desk instances # On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a …
Read MoreNovember 1, 2023
How to find Apache ActiveMQ instances
How to find Apache ActiveMQ® instances # On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team …
Read MoreOctober 30, 2023
Finding NGINX Ingress Controllers with runZero
Today, three vulnerabilities in the NGINX Ingress Controller for Kubernetes were disclosed, as described in this article from The Hacker News. These vulnerabilities have CVSS scores ranging from 7.6 to 8.8; all of these scores are considered high. These vulnerabilities have …
Read More