A vulnerability (CVE-2021-43798) has been identified in Grafana, an open data visualization platform, that allows traversing the base directory and accessing arbitrary files on the server's local file system, as far as the access rights of the user under which Grafana is running allow. The problem is caused by incorrect work of the path handler "/public/plugins/ /", which allowed the use of the characters ".." to access underlying directories.
The vulnerability can be exploited by accessing the URL of typical pre-installed plugins, such as "/public/plugins/graph/", "/public/plugins/mysql/" and "/public/plugins/prometheus/" (about 40 plugins are pre-installed) . For example, to access the /etc/passwd file, you could send the request "/public/plugins/prometheus/../../../../../../../../etc/passwd" . To identify traces of exploitation, it is recommended to check the presence of the "..%2f" mask in the http-server logs.
The problem manifested itself starting from version 8.0.0-beta1 and was fixed in the releases of Grafana 8.3.1, 8.2.7, 8.1.8 and 8.0.7, but two more similar vulnerabilities were identified after that (CVE-2021-43813, CVE-2021- 43815) which appeared since Grafana 5.0.0 and Grafana 8.0.0-beta3 and allowed an authenticated Grafana user to access arbitrary files on the system with extensions ".md" and ".csv" (with filenames only in the bottom or uppercase only), by manipulating the ".." characters in the "/api/plugins/.*/markdown/.*" and "/api/ds/query" paths. Grafana 8.3.2 and 7.5.12 updates have been generated to address these vulnerabilities.
Source: opennet.ru