CVE-2021-43815 — Path Traversal in Grafana Grafana

CWE-22 — Path Traversal6 documents5 sources

Severity

4.3MEDIUMNVD

GHSA7.5OSV7.5

EPSS

0.7%

top 28.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedDec 10

Latest updateMay 14

Description

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDgrafana/grafana8.0.0 — 8.3.2+1

▶Gogithub.com/grafana_grafana8.0.0-beta3 — 8.3.2

▶CVEListV5grafana/grafana>= 5.0.0, < 7.5.12, >= 8.0.0-beta3, < 8.3.2+1

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Grafana directory traversal for .cvs files↗2024-05-14

▶

OSV

Grafana directory traversal for .cvs files↗2024-05-14

▶

CVEList

Grafana directory traversal for `.cvs` files↗2021-12-10

▶

OSV

CVE-2021-43815: Grafana is an open-source platform for monitoring and observability↗2021-12-10

▶

📋Vendor Advisories

Red Hat

grafana: directory traversal for .csv files↗2021-12-10

▶