github.com/grafana/grafana is vulnerable to path traversal. The vulnerability exists in the getPluginAssets
function in plugins.go
, allowing an attacker to access local files through the URL paths such as /public/plugins/.
packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html
packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html
www.openwall.com/lists/oss-security/2021/12/09/2
www.openwall.com/lists/oss-security/2021/12/10/4
github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce
github.com/grafana/grafana/pull/42846
github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
security.netapp.com/advisory/ntap-20211229-0004/