vulnerability
FreeBSD: VID-e33880ed-5802-11ec-8398-6c3be5272acd (CVE-2021-43798): Grafana -- Path Traversal
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Dec 11, 2021 | Nov 4, 2022 | Dec 10, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Dec 11, 2021
Added
Nov 4, 2022
Modified
Dec 10, 2025
Description
Grafana Labs reports: Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable. The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin. Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance: <grafana_host_url>/public/plugins/alertlist/ <grafana_host_url>/public/plugins/annolist/ <grafana_host_url>/public/plugins/barchart/ <grafana_host_url>/public/plugins/bargauge/ <grafana_host_url>/public/plugins/candlestick/ <grafana_host_url>/public/plugins/cloudwatch/ <grafana_host_url>/public/plugins/dashlist/ <grafana_host_url>/public/plugins/elasticsearch/ <grafana_host_url>/public/plugins/gauge/ <grafana_host_url>/public/plugins/geomap/ <grafana_host_url>/public/plugins/gettingstarted/ <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/ <grafana_host_url>/public/plugins/graph/ <grafana_host_url>/public/plugins/heatmap/ <grafana_host_url>/public/plugins/histogram/ <grafana_host_url>/public/plugins/influxdb/ <grafana_host_url>/public/plugins/jaeger/ <grafana_host_url>/public/plugins/logs/ <grafana_host_url>/public/plugins/loki/ <grafana_host_url>/public/plugins/mssql/ <grafana_host_url>/public/plugins/mysql/ <grafana_host_url>/public/plugins/news/ <grafana_host_url>/public/plugins/nodeGraph/ <grafana_host_url>/public/plugins/opentsdb <grafana_host_url>/public/plugins/piechart/ <grafana_host_url>/public/plugins/pluginlist/ <grafana_host_url>/public/plugins/postgres/ <grafana_host_url>/public/plugins/prometheus/ <grafana_host_url>/public/plugins/stackdriver/ <grafana_host_url>/public/plugins/stat/ <grafana_host_url>/public/plugins/state-timeline/ <grafana_host_url>/public/plugins/status-history/ <grafana_host_url>/public/plugins/table/ <grafana_host_url>/public/plugins/table-old/ <grafana_host_url>/public/plugins/tempo/ <grafana_host_url>/public/plugins/testdata/ <grafana_host_url>/public/plugins/text/ <grafana_host_url>/public/plugins/timeseries/ <grafana_host_url>/public/plugins/welcome/ <grafana_host_url>/public/plugins/zipkin/
Solutions
freebsd-upgrade-package-grafana8freebsd-upgrade-package-grafana
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.