Finding Grafana instances

A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential information or credentials. Tracked as CVE-2021-43798 with a “high” CVSS score of 7.5, this path traversal vulnerability resides in the installed plugins path logic for a Grafana instance (e.g., <grafana_host_url>/public/plugins/<plugin-id>). Because Grafana installs with plugins by default, Grafana versions v8.0.0-beta1 through v8.3.0 are all vulnerable (Grafana Cloud is reportedly not vulnerable).

This vulnerability was originally disclosed to Grafana on December 3rd (prior to its leak as an 0-day). Grafana made patched versions available the day of the leak and advised anyone running a vulnerable version to update to a patched version as soon as possible. If upgrading isn’t an option, Grafana provides mitigation strategy as well.

As a part of good cyber hygiene, you should shut down public access to Grafana servers (unless it is necessary).

How to find Grafana instances #

From the Asset Inventory, use the following pre-built query to locate potentially vulnerable Grafana instances within your network:

product:grafana

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Get runZero for free

Find Grafana instances on your network in minutes with runZero.

Get started