Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
The vulnerable URL path is: /public/plugins/<âÂÂplugin-idâÂÂ> where <âÂÂplugin-idâÂÂ> is the plugin ID for any installed plugin.
Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:
- /public/plugins/alertlist/
- /public/plugins/annolist/
- /public/plugins/barchart/
- /public/plugins/bargauge/
- /public/plugins/candlestick/
- /public/plugins/cloudwatch/
- /public/plugins/dashlist/
- /public/plugins/elasticsearch/
- /public/plugins/gauge/
- /public/plugins/geomap/
- /public/plugins/gettingstarted/
- /public/plugins/grafana-azure-monitor-datasource/
- /public/plugins/graph/
- /public/plugins/heatmap/
- /public/plugins/histogram/
- /public/plugins/influxdb/
- /public/plugins/jaeger/
- /public/plugins/logs/
- /public/plugins/loki/
- /public/plugins/mssql/
- /public/plugins/mysql/
- /public/plugins/news/
- /public/plugins/nodeGraph/
- /public/plugins/opentsdb
- /public/plugins/piechart/
- /public/plugins/pluginlist/
- /public/plugins/postgres/
- /public/plugins/prometheus/
- /public/plugins/stackdriver/
- /public/plugins/stat/
- /public/plugins/state-timeline/
- /public/plugins/status-history/
- /public/plugins/table/
- /public/plugins/table-old/
- /public/plugins/tempo/
- /public/plugins/testdata/
- /public/plugins/text/
- /public/plugins/timeseries/
- /public/plugins/welcome/
- /public/plugins/zipkin/