Skip to the content.

DIVD-2022-00002 - Grafana

Our reference DIVD-2022-00002
Case lead Tom Wolters
Researcher(s)
CVE(s)
  • n/a
Product Grafana
Versions v8.0.0-beta1 to v8.3.0
Recommendation Upgrade to version v8.3.1
Patch status Full patched
Status Open
Last modified 20 Jun 2022 07:35

Summary

Grafana, a popular open source analytics tool to create interactive graphs and dashboards, suffered from an Unauthenticated Directory Traversal vulnerability. This vulnerability, known under CVE-2021-43798, was discovered on the 3rd of december of 2021 and publicly released on the 7th of that month. Versions v8.0.0-beta1 to v8.3.0 are found to be vulnerable in their default configuration. Emergency releases were created and several new releases after v8.3.0 have been published. An attacker exploiting this vulnerability can read local and most likely sensitive files, such as usernames and possibly cleartext credentials from local configuration files.

What you can do

What we are doing

Timeline

Date Description
03 Dec 2021 Vulnerability reported to Grafana.
07 Dec 2021 Emergency patches released and full public release.
10 Jan 2022 DIVD created a list of vulnerable Grafana instances.
18 Jan 2022 First version of this case file.
18 Jan 2022 DIVD sent out a first batch of notifications.
06 Feb 2022 DIVD sent out a second batch of notifications.
gantt title DIVD-2022-00002 - Grafana dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00002 - Grafana (still open) :2021-12-07, 2022-07-01 section Events Vulnerability reported to Grafana. : milestone, 2021-12-03, 0d Emergency patches released and full public release. : milestone, 2021-12-07, 0d DIVD created a list of vulnerable Grafana instances. : milestone, 2022-01-10, 0d First version of this case file. : milestone, 2022-01-18, 0d DIVD sent out a first batch of notifications. : milestone, 2022-01-18, 0d DIVD sent out a second batch of notifications. : milestone, 2022-02-06, 0d

More information