Grafana Plugin Dir Traversal (CVE-2021-43798)
Description
Grafana versions 8.0.0 through 8.3.0 contain a directory traversal vulnerability (CVE-2021-43798) in the plugin handling functionality. Unauthenticated attackers can exploit this flaw to read arbitrary files from the server's filesystem by manipulating plugin resource requests. This vulnerability affects all default installations and can expose sensitive configuration files, credentials, and system information.
Remediation
Immediately upgrade Grafana to version 8.3.1 or later, which contains a complete fix for this vulnerability. If immediate patching is not possible, implement the following temporary mitigations:
1. Block access to the vulnerable endpoint by adding a web application firewall (WAF) rule or reverse proxy configuration to reject requests matching the pattern:
/public/plugins/*/
2. Restrict network access to Grafana to trusted IP addresses only
3. Monitor access logs for exploitation attempts, specifically looking for unusual requests to plugin paths containing directory traversal sequences (../, ..\ )
4. After upgrading, review server logs for any suspicious file access patterns that may indicate prior exploitation and rotate any potentially compromised credentials