Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files.
Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were released to fix a path traversal vulnerability that could allow an attacker to navigate outside the Grafana folder and remotely access restricted locations on the server, such as /etc/password/.
Grafana Labs published a blog post today explaining that problem was with the URL for installed plug-ins, which was vulnerable to path traversal attacks.
Since all Grafana installations have a set of plugins installed by default, the vulnerable URL path was present on every instance of the application.
Grafana Labs received a report about the vulnerability at the end of last week, on December 3, and came up with a fix on the same day.Since the privately reported bug had become a leaked zero-day, Grafana Labs was forced to publish the fix:
2021-12-06: Second report about the vulnerability received
2021-12-07: We received information that the vulnerability has been leaked to the public, turning it into a 0day
2021-12-07: Decision made to release as quickly as feasible
2021-12-07: Private release with reduced 2-hour grace period, not the usual 1-week timeframe
2021-12-07: Public release now tracked as CVE-2021-43798, the flaw received a 7.5 severity score and is still exploitable on on-premise servers that have not been updated.
Grafana Cloud instances have not been impacted, there are thousands of Grafana servers exposed on the public internet. If updating a vulnerable instance is not possible in a timely manner, it is recommended to make the server inaccessible from the public web