CVE-2021-43798
Published: 07 December 2021
Summary
CVE-2021-43798 is a high-severity Path Traversal (CWE-22) vulnerability in Grafana Grafana. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Grafana, an open-source monitoring and observability platform, contains a directory traversal vulnerability in versions 8.0.0-beta1 through 8.3.0. The flaw resides in the handling of the URL path /public/plugins/<plugin-id>/, where any installed plugin identifier can be supplied, enabling unauthenticated access to arbitrary local files on the server. Grafana Cloud instances were never affected by this issue, which is tracked as CWE-22 with a CVSS 3.1 score of 7.5.
An attacker with network access to a vulnerable Grafana instance can exploit the path traversal without authentication or user interaction to read sensitive files such as configuration data or credentials, resulting in high confidentiality impact while leaving integrity and availability unaffected.
Official guidance in the Grafana security advisory and associated patches directs administrators to upgrade immediately to versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. Public references, including the GitHub commit and oss-security disclosures, provide additional detail on the vulnerable paths and recommended mitigations.
Proof-of-concept exploits have been published on Packet Storm, confirming straightforward remote file-read attacks against unpatched deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0581
Vulnerability details
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for…
more
any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
- CWE(s)
- KEV Date Added
- 09 October 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates immediate application of vendor patches (8.0.7/8.1.8/8.2.7/8.3.1) that eliminate the directory-traversal flaw in the /public/plugins path handler.
Requires validation of URL path inputs to reject traversal sequences such as ../ that allow unauthenticated access to arbitrary local files.
Enforces access-control policy on server resources so that even a reachable file path cannot be read without proper authorization.