cbcvebase.
CVE-2021-43798
published 2021-12-07

CVE-2021-43798: Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to…

PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-10-30
Exploited in the wild
EPSS
88.85%
99.8th percentile
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

Affected

14 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 8.0.0-beta1 < 8.0.78.0.7
github.comgrafana_grafana>= 8.0.0-beta3 < 8.3.28.3.2
github.comgrafana_grafana>= 8.1.0 < 8.1.88.1.8
github.comgrafana_grafana>= 8.2.0 < 8.2.78.2.7
github.comgrafana_grafana>= 8.3.0 < 8.3.18.3.1
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana
grafanagrafana>= 8.0.1 < 8.0.78.0.7
grafanagrafana>= 8.1.0 < 8.1.88.1.8
grafanagrafana>= 8.2.0 < 8.2.78.2.7

Detection & IOCsextracted from sources · hover to see the quote

url/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
url/public/plugins/opentsdb/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd
path/public/plugins/<plugin_id>/
path/var/lib/grafana/grafana.db
path/etc/grafana/grafana.ini
path/conf/defaults.ini
filenameinjector.sh
ip44.204.18.94
ip95.181.232.32
ip195.80.150.137
ip141.95.126.31
ip60.186.152.35
ip122.231.163.197
domainmonero.herominers.com
  • Detect path traversal exploitation attempts by monitoring HTTP requests matching the pattern /public/plugins/<plugin_id>/..%2f (URL-encoded traversal sequences) in Grafana access logs.
  • Check for xmrig process execution (CPU at 98%+) originating from hidden directories such as /usr/share/.logstxt/ as a post-exploitation indicator following CVE-2021-43798 exploitation.
  • Alert on SSH authentication successes by the 'grafana' OS user from external IPs not matching known-good organizational IP ranges, as attackers leverage credentials obtained via the path traversal to log in.
  • Monitor for modification of cron-executed scripts (e.g., /opt/automation/updater.sh) by non-root users as a privilege escalation indicator following initial Grafana compromise.
  • Check logs for evidence of traversal requests that may have returned sensitive files such as grafana.db or grafana.ini, which contain plaintext or recoverable credentials.
  • ·The vulnerable URL path requires an installed plugin ID; exploitation is only possible if at least one plugin is installed. The plugin name (e.g., 'alertlist', 'opentsdb') must be valid for the traversal to succeed.
  • ·Grafana Cloud was never vulnerable; only self-hosted Grafana instances running versions 8.0.0-beta1 through 8.3.0 (excluding patched builds 8.0.7, 8.1.8, 8.2.7, 8.3.1) are affected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.