CVE-2021-43815: 
Grafana vulnerability analysis and mitigation

Grafana versions 8.0.0-beta3 to 8.3.1 contained a directory traversal vulnerability (CVE-2021-43815) that allowed authenticated users to read arbitrary .csv files. The vulnerability was discovered on December 9, 2021, and was patched in version 8.3.2 released on December 10, 2021. The vulnerability was limited in scope and required the TestData DB data source (a developer testing tool) to be enabled and configured, which was not enabled by default (Grafana Blog).

The vulnerability was assigned a CVSS Score of 4.3 (Moderate) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerable path was /api/ds/query, which could be exploited through directory traversal to read .csv files. The vulnerability required authentication and was specifically tied to the TestData DB data source functionality (GitHub Advisory).

The vulnerability allowed authenticated users to read arbitrary .csv files through directory traversal. However, the impact was limited due to the requirement of authentication and the need for the TestData DB data source to be enabled. Grafana Cloud instances were not affected due to defense-in-depth measures (Openwall).

Users were advised to upgrade to Grafana version 8.3.2 as soon as possible. For those unable to upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request would mitigate the vulnerability. The proxy needed to handle URL encoded paths. Additionally, administrators could mitigate the vulnerability by deleting all configured TestData DB data sources (Grafana Blog).

The vulnerability was discovered shortly after the high-severity CVE-2021-43798, leading to increased security scrutiny of Grafana. In response, Grafana Labs acknowledged identifying several vulnerability issues in recent weeks at a higher rate than in previous years. The company committed to increasing investment in security assessment and making it a top priority (Grafana Blog).