7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
Severity: High
Date : 2021-12-11
CVE-ID : CVE-2021-43798 CVE-2021-43813 CVE-2021-43815
Package : grafana
Type : directory traversal
Remote : Yes
Link : https://security.archlinux.org/AVG-2609
The package grafana before version 8.3.1-1 is vulnerable to directory
traversal.
Upgrade to 8.3.1-1.
The problems have been fixed upstream in version 8.3.1.
None.
Grafana 8 before version 8.3.1 is vulnerable to directory traversal,
allowing access to local files. The vulnerable URL path is
<grafana_host_url>/public/plugins/<βplugin-idβ>, where <βplugin-idβ> is
the plugin ID for any installed plugin.
A security issue has been found in Grafana before version 8.3.2 through
which authenticated users could read out fully lowercase or fully
uppercase .md files through directory traversal. The vulnerable URL
path is: /api/plugins/./markdown/. for .md files.
A security issue has been found in Grafana 8 before version 8.3.2
through which authenticated users could read out arbitrary .csv files
through directory traversal. The vulnerable URL path is: /api/ds/query.
A remote attacker could access arbitrary local files on the server
through directory traversal.
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
https://j0vsec.com/post/cve-2021-43798/
https://github.com/grafana/grafana/commit/00e38ba555cfb120361c9623de3285d70c60172f
https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q
https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
https://github.com/grafana/grafana/commit/06706efbbe59ad9d3075835cc31e2f734e36df95
https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m
https://github.com/grafana/grafana/commit/1d7105c0959df2083814237024f7ec098a76099b
https://security.archlinux.org/CVE-2021-43798
https://security.archlinux.org/CVE-2021-43813
https://security.archlinux.org/CVE-2021-43815
github.com/grafana/grafana/commit/00e38ba555cfb120361c9623de3285d70c60172f
github.com/grafana/grafana/commit/06706efbbe59ad9d3075835cc31e2f734e36df95
github.com/grafana/grafana/commit/1d7105c0959df2083814237024f7ec098a76099b
github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m
github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q
grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
j0vsec.com/post/cve-2021-43798/
security.archlinux.org/AVG-2609
security.archlinux.org/CVE-2021-43798
security.archlinux.org/CVE-2021-43813
security.archlinux.org/CVE-2021-43815
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%