CVE-2021-43798 log

Severity High
Remote Yes
Type Directory traversal
Grafana 8 before version 8.3.1 is vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is <grafana_host_url>/public/plugins/<"plugin-id">, where <"plugin-id"> is the plugin ID for any installed plugin.
Group Package Affected Fixed Severity Status Ticket
AVG-2609 grafana 8.3.0-1 8.3.1-1 High Fixed
Date Advisory Group Package Severity Type
11 Dec 2021 ASA-202112-11 AVG-2609 grafana High directory traversal

The issue can be mitigated by running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. For example, the normalize_path setting in envoy.