Latest Grafana vulnerability #
A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential information or credentials. Tracked as CVE-2021-43798 with a "high" CVSS score of 7.5, this path traversal vulnerability resides in the installed plugins path logic for a Grafana instance (e.g., <grafana_host_url>/public/plugins/<plugin-id>). Because Grafana installs with plugins by default, Grafana versions v8.0.0-beta1 through v8.3.0 are all vulnerable (Grafana Cloud is reportedly not vulnerable).
This vulnerability was originally disclosed to Grafana on December 3rd (prior to its leak as an 0-day). Grafana made patched versions available the day of the leak and advised anyone running a vulnerable version to update to a patched version as soon as possible. If upgrading isn't an option, Grafana provides mitigation strategy as well.
As a part of good cyber hygiene, you should shut down public access to Grafana servers (unless it is necessary).
How to find Grafana instances #
From the Asset Inventory, use the following pre-built query to locate potentially vulnerable Grafana instances within your network:
product:grafana
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
