Privacy Ninja

Grafana Fixes Zero-day Vulnerability After Exploits Spread over Twitter

Grafana Fixes Zero-day Vulnerability After Exploits Spread over Twitter

Open-source analytics and interactive visualization solution Grafana received an emergency update today to fix a high-severity, zero-day vulnerability that enabled remote access to local files.

Details about the issue started to become public earlier this week, before Grafana Labs rolled out updates for affected versions 8.0.0-beta1 through 8.3.0.

Plugin URL path

Earlier today, Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were released to fix a path traversal vulnerability that could allow an attacker to navigate outside the Grafana folder and remotely access restricted locations on the server, such as /etc/passwd/.

Also Read: Invasion Of Privacy Elements And Its Legal Laws To Comply

Grafana Labs published a blog post today explaining that problem was with the URL for installed plug-ins, which was vulnerable to path traversal attacks.

Since all Grafana installations have a set of plugins installed by default, the vulnerable URL path was present on every instance of the application.

Grafana Labs received a report about the vulnerability at the end of last week, on December 3, and came up with a fix on the same day.

The developer planned a private customer release for today and a public one for December 14.

PoC spreads over Twitter and GitHub

A second report came in yesterday, though, indicating that information about the issue started to spread, the confirmation coming when news about the bug appeared in the public space.

source: Corben Leo

It didn’t take long for technical details along with proof-of-concepts (PoC) to exploit the bug to become available on Twitter and GitHub.

Also Read: EU GDPR Articles: Key For Business Security And Success

CVE-2021-43798 exploitation
source Martin Hsu

Since the privately reported bug had become a leaked zero-day, Grafana Labs was forced to publish the fix:

  • 2021-12-06: Second report about the vulnerability received
  • 2021-12-07: We received information that the vulnerability has been leaked to the public, turning it into a 0day
  • 2021-12-07: Decision made to release as quickly as feasible
  • 2021-12-07: Private release with reduced 2-hour grace period, not the usual 1-week timeframe
  • 2021-12-07: Public release

Now tracked as CVE-2021-43798, the flaw received a 7.5 severity score and is still exploitable on on-premise servers that have not been updated.

Grafana Cloud instances have not been impacted, the developer said today.

According to public reports, there are thousands of Grafana servers exposed on the public internet. If updating a vulnerable instance is not possible in a timely manner, it is recommended to make the server inaccessible from the public web.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us