CVE-2021-43815

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-43815
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43815.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-43815
Aliases
Related
Published
2021-12-10T21:15:09Z
Modified
2024-08-01T09:31:21.806314Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v1.*

v1.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0
v1.7.0-rc1
v1.8.0
v1.8.0-rc1
v1.8.1
v1.9.0
v1.9.0-rc1
v1.9.1

v2.*

v2.0.0-beta1
v2.0.0-beta3
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.5.0
v2.6.0
v2.6.0-beta1

v3.*

v3.0-beta1
v3.0-beta2
v3.0-beta3
v3.0-beta4
v3.0-beta5
v3.0.0-beta6
v3.0.0-beta7
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.0-beta1
v3.1.1

v4.*

v4.0.0
v4.0.0-beta1
v4.0.0-beta2
v4.0.1
v4.0.2
v4.1.0-beta1
v4.2.0-beta1
v4.3.0
v4.3.0-beta1
v4.3.1
v4.3.2
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.0-beta1
v4.5.1
v4.6.0-beta1

v5.*

v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5

v6.*

v6.0.0-beta1
v6.5