CVE-2021-43798 Overview
CVE-2021-43798 is a directory traversal vulnerability affecting Grafana, an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) are vulnerable to path traversal attacks that allow unauthenticated remote attackers to read arbitrary files from the underlying server filesystem. The vulnerable URL path exploits the plugin API endpoint: <grafana_host_url>/public/plugins/<plugin-id>/, where <plugin-id> is the plugin ID for any installed plugin. This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities catalog.
Critical Impact
Unauthenticated attackers can read sensitive files including configuration files, credentials, and database contents from vulnerable Grafana servers, potentially leading to complete system compromise.
Affected Products
- Grafana versions 8.0.0-beta1 through 8.0.6
- Grafana versions 8.1.0 through 8.1.7
- Grafana versions 8.2.0 through 8.2.6
- Grafana version 8.3.0
Discovery Timeline
- 2021-12-07 - CVE CVE-2021-43798 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2021-43798
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) exists in Grafana's plugin file serving functionality. The application fails to properly sanitize user-supplied input in URL paths when serving plugin files. By crafting a malicious request to the /public/plugins/<plugin-id>/ endpoint with path traversal sequences, an attacker can escape the intended directory and access arbitrary files on the server filesystem. The vulnerability is particularly severe because exploitation requires no authentication, and default Grafana installations include multiple plugins that can be targeted.
The attack is network-accessible and requires low complexity to execute. Successful exploitation results in unauthorized disclosure of sensitive information including Grafana configuration files (which may contain database credentials), system password files, and other critical data stored on the server.
Root Cause
The root cause lies in insufficient input validation and path canonicalization in Grafana's static file serving mechanism for plugins. The application fails to properly neutralize special elements such as ../ sequences within the plugin path parameter before using it to construct file paths. This allows attackers to traverse outside the intended plugin directory structure and access files anywhere on the filesystem that the Grafana process has read permissions for.
Attack Vector
The attack is executed via network-based HTTP requests targeting the vulnerable plugin endpoint. An attacker sends a crafted GET request to the Grafana server with directory traversal sequences embedded in the URL path. For example, requests targeting endpoints like /public/plugins/alertlist/../../../../../../../etc/passwd allow traversal outside the plugins directory. Any installed plugin ID can be used as the initial path component, making this attack viable against virtually all Grafana installations within the affected version range.
The vulnerability can be exploited to read critical files such as /etc/passwd, /etc/shadow (if permissions allow), Grafana's grafana.ini configuration file containing database credentials, and SQLite database files containing user hashes and session tokens.
Detection Methods for CVE-2021-43798
Indicators of Compromise
- HTTP requests to /public/plugins/ endpoints containing path traversal sequences such as ../, ..%2f, or URL-encoded variants
- Web server access logs showing requests for system files like /etc/passwd, /etc/shadow, or Grafana configuration files
- Unusual read access patterns to sensitive system files by the Grafana process
- Anomalous outbound connections following successful file exfiltration attempts
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal patterns in incoming requests
- Monitor Grafana access logs for requests containing .. sequences or attempts to access files outside the plugins directory
- Implement file integrity monitoring on sensitive configuration files that may be targeted
- Use network intrusion detection systems (IDS) with signatures for CVE-2021-43798 exploitation attempts
Monitoring Recommendations
- Enable verbose logging on Grafana instances and forward logs to a centralized SIEM for correlation
- Set up alerts for HTTP 200 responses to requests containing path traversal patterns targeting plugin endpoints
- Monitor for bulk file read attempts that may indicate automated exploitation
- Track access to Grafana configuration files and database files for unauthorized read operations
How to Mitigate CVE-2021-43798
Immediate Actions Required
- Upgrade Grafana immediately to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1 or later
- If immediate patching is not possible, restrict network access to Grafana instances using firewall rules
- Review access logs for evidence of exploitation and rotate credentials if compromise is suspected
- Consider taking vulnerable instances offline until patching is complete if they contain sensitive data
Patch Information
Grafana has released security patches addressing this vulnerability. Users should upgrade to the following minimum versions based on their current branch: 8.0.7 for the 8.0.x branch, 8.1.8 for the 8.1.x branch, 8.2.7 for the 8.2.x branch, or 8.3.1 for the 8.3.x branch. The fix is documented in the GitHub Grafana Commit Changes and detailed in the GitHub Grafana Security Advisory. Grafana Cloud was never vulnerable to this issue.
Workarounds
- Deploy a reverse proxy or WAF in front of Grafana to filter requests containing path traversal sequences
- Use network segmentation to limit which systems can reach the Grafana web interface
- Implement strict firewall rules allowing only trusted IP addresses to access Grafana
- If feasible, temporarily disable or restrict access to the /public/plugins/ endpoint at the web server level
# Example nginx configuration to block path traversal attempts
location /public/plugins/ {
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://grafana_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
