CVE-2021-43798: 
Grafana vulnerability analysis and mitigation

Grafana, an open-source platform for monitoring and observability, was found to contain a critical directory traversal vulnerability (CVE-2021-43798) affecting versions 8.0.0-beta1 through 8.3.0. The vulnerability was discovered on December 3, 2021, and allows unauthenticated attackers to access local files through the /public/plugins// path, where the plugin ID can be any installed plugin. The vulnerability was initially planned for a controlled release but became a 0-day exploit when it was leaked to the public on December 7, 2021 (Grafana Blog, GitHub Advisory).

The vulnerability received a CVSS v3.1 score of 7.5 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue affects multiple pre-installed plugins including alertlist, annolist, barchart, bargauge, cloudwatch, and many others. The vulnerability stems from improper path handling in the plugin asset serving functionality, which allows attackers to traverse directories using specially crafted URLs (GitHub Advisory, OSS Security).

Successful exploitation of this vulnerability allows attackers to read arbitrary files from the server hosting Grafana, potentially exposing sensitive information. The vulnerability requires no authentication and can be exploited remotely, making it particularly dangerous. However, Grafana Cloud instances were not affected due to defense-in-depth measures (Grafana Blog).

Users are advised to upgrade to the patched versions: 8.0.7, 8.1.8, 8.2.7, or 8.3.1. For users unable to upgrade immediately, running a reverse proxy in front of Grafana that normalizes the PATH of the request can mitigate the vulnerability. For example, using the normalize_path setting in Envoy. Cloud providers offering managed Grafana services, including Amazon Managed Grafana and Azure Managed Grafana, have implemented necessary security measures (GitHub Advisory).

The vulnerability received significant attention from the security community due to its severity and ease of exploitation. Grafana Labs acknowledged this as their first 0-day exploit and had to accelerate their planned release timeline when the vulnerability was leaked to the public. The incident prompted Grafana Labs to announce plans for establishing a formal bug bounty program to better handle future security research submissions (Grafana Blog).