Solution for open-source analytics and interactive visualization Grafana was updated today to solve a high-severity zero-day vulnerability that allowed remote access to local files. Before Grafana Labs gave out patches for impacted versions 8.0.0-beta1 through 8.3.0, details regarding the issue became public earlier this week.
Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were recently published to address a path traversal vulnerability that might allow an attacker to traverse outside of the Grafana folder and remotely access protected server areas like /etc/password/. Grafana Labs explained the problem today in a blog post, stating that the fault was with the URL for installed plug-ins, subject to route traversal attacks.
The vulnerable URL route was present on every instance of Grafana since all installs come with a set of plugins loaded by default. Grafana Labs was notified of the vulnerability at the end of last week, on December 3, and developed a remedy that same day. A confidential client release is scheduled for today, with a public release planned for December 14.
According to a second claim, news of the problem began to spread, with confirmation arriving when knowledge about the flaw surfaced in the public space. Technical information and the proof-of-concepts (PoC) for exploiting the weakness were quickly shared on Twitter and GitHub. The bug, now known as CVE-2021-43798, has a severity rating of 7.5 and may still be used on unpatched on-premise servers.
The developer revealed that Grafana Cloud instances are unaffected.
“On 2021-12-03, we received a report that Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.”
Thousands of Grafana servers, according to public sources, are exposed on the internet. If timely upgrading of a vulnerable instance is not practicable, it is suggested that the server be made unreachable to the public web.