Linux Distros Unpatched Vulnerability : CVE-2021-43813

🗓️ 02 Sep 2025 00:00:00Reported by TenableType

Grafana markdown directory traversal affects versions before 8.3.2 and 7.5.12; upgrade to 8.3.2 or 7.5.12; Cloud is unaffected.

Reporter	Title	Published	Views	Family All 113
ALT Linux	Security fix for the ALT Linux 10 package grafana version 8.5.0-alt1	5 May 202200:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package grafana version 7.5.13-alt1	31 Jan 202200:00	–	altlinux
FreeBSD	Grafana -- Directory Traversal	9 Dec 202100:00	–	freebsd
Tenable Nessus	Alibaba Cloud Linux 3 : 0144: grafana (ALINUX3-SA-2022:0144)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : grafana (ALSA-2022:1781)	12 May 202200:00	–	nessus
Tenable Nessus	CentOS 8 : grafana (CESA-2022:1781)	10 May 202200:00	–	nessus
Tenable Nessus	CentOS 9 : grafana-9.0.9-1.el9	29 Feb 202400:00	–	nessus
Tenable Nessus	MiracleLinux 8 : grafana-7.5.11-2.el8 (AXSA:2022-3494:02)	20 Jan 202600:00	–	nessus
Tenable Nessus	openSUSE 15 Security Update : grafana (openSUSE-SU-2022:0140-1)	21 Jan 202200:00	–	nessus
Tenable Nessus	Oracle Linux 8 : grafana (ELSA-2022-1781)	18 May 202200:00	–	nessus

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2021-43813
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(260322);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/02");

  script_cve_id("CVE-2021-43813");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2021-43813");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and
    7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The
    vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated
    users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to
    patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of
    Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to
    also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files,
    users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help
    text. (CVE-2021-43813)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2021-43813");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-43813");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:grafana");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "grafana"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

02 Sep 2025 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS 24

CVSS 3.14.3

EPSS0.06405