Grafana Directory Traversal (CVE-2021-43798)
Overview
Grafana Directory Traversal, tracked as CVE-2021-43798, affects Grafana deployments where plugin asset paths can be abused to access local files outside the intended plugin directory. Grafana is widely used for monitoring and observability, so exposed instances can hold sensitive configuration, datasource, and integration details.
Vulnerability Overview
CVE-2021-43798 is a path traversal issue in Grafana's plugin asset handling. Vulnerable Grafana versions allowed unauthenticated requests to reach local files by abusing paths under the public plugin asset route for an installed plugin.
The flaw does not require valid Grafana credentials. Its primary security impact is unauthorized local file read, which can expose configuration files, credentials, datasource secrets, or other sensitive files readable by the Grafana process.
Impact
The vulnerability is rated High with a CVSS 3.1 score of 7.5. Successful exploitation can compromise confidentiality by allowing attackers to read local files from the server.
Grafana states that Grafana Cloud was not vulnerable. Self-managed Grafana deployments are the main concern, especially when exposed to the internet and running an affected version. CVE-2021-43798 is also listed in the CISA Known Exploited Vulnerabilities catalog.
Vulnerability Scope
The affected range includes Grafana versions from 8.0.0-beta1 through 8.3.0, except for patched releases. Grafana advised users to upgrade to 8.0.7, 8.1.8, 8.2.7, 8.3.1, or later fixed versions.
The vulnerable condition depends on self-hosted Grafana using affected versions with plugin asset routes reachable by untrusted users.
Lab Focus
This Hackviser lab focuses on understanding how static asset routing in extensible web applications can create file disclosure risk. You will practice identifying affected Grafana versions, recognizing the role of installed plugins in the vulnerable route, and connecting path traversal behavior to real operational impact.