logo
DATABASE RESOURCES PRICING ABOUT US

Grafana -- Path Traversal

Description

Grafana Labs reports: Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable. The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin. Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance: <grafana_host_url>/public/plugins/alertlist/ <grafana_host_url>/public/plugins/annolist/ <grafana_host_url>/public/plugins/barchart/ <grafana_host_url>/public/plugins/bargauge/ <grafana_host_url>/public/plugins/candlestick/ <grafana_host_url>/public/plugins/cloudwatch/ <grafana_host_url>/public/plugins/dashlist/ <grafana_host_url>/public/plugins/elasticsearch/ <grafana_host_url>/public/plugins/gauge/ <grafana_host_url>/public/plugins/geomap/ <grafana_host_url>/public/plugins/gettingstarted/ <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/ <grafana_host_url>/public/plugins/graph/ <grafana_host_url>/public/plugins/heatmap/ <grafana_host_url>/public/plugins/histogram/ <grafana_host_url>/public/plugins/influxdb/ <grafana_host_url>/public/plugins/jaeger/ <grafana_host_url>/public/plugins/logs/ <grafana_host_url>/public/plugins/loki/ <grafana_host_url>/public/plugins/mssql/ <grafana_host_url>/public/plugins/mysql/ <grafana_host_url>/public/plugins/news/ <grafana_host_url>/public/plugins/nodeGraph/ <grafana_host_url>/public/plugins/opentsdb <grafana_host_url>/public/plugins/piechart/ <grafana_host_url>/public/plugins/pluginlist/ <grafana_host_url>/public/plugins/postgres/ <grafana_host_url>/public/plugins/prometheus/ <grafana_host_url>/public/plugins/stackdriver/ <grafana_host_url>/public/plugins/stat/ <grafana_host_url>/public/plugins/state-timeline/ <grafana_host_url>/public/plugins/status-history/ <grafana_host_url>/public/plugins/table/ <grafana_host_url>/public/plugins/table-old/ <grafana_host_url>/public/plugins/tempo/ <grafana_host_url>/public/plugins/testdata/ <grafana_host_url>/public/plugins/text/ <grafana_host_url>/public/plugins/timeseries/ <grafana_host_url>/public/plugins/welcome/ <grafana_host_url>/public/plugins/zipkin/


Affected Package


OS OS Version Package Name Package Version
FreeBSD any grafana8 8.0.0
FreeBSD any grafana8 8.0.7
FreeBSD any grafana 8.0.0
FreeBSD any grafana 8.0.7

Related