Bugzilla – Bug 1193492
VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin
Last modified: 2021-12-13 08:21:39 UTC
Created attachment 854380 [details]
Screenshot of a poc
An arbitrary file read has been dropped on Twitter on 2021-12-04. For the moment, no upstream fix is given.
A quick analysis of the code make the vuln probable, but we should monitor for acknowledgement from Grafana dev team, as well as a fix.
Probable vulnerable code is in getPluginAssets method, in grafana/blob/main/pkg/api/plugins.go:284.
Upstream fix commit:
The vulnerable commit  has been introduced in v8.0.0. But every version that we ship is <7.5.11. Moreover, I checked that the vulnerable commit has not been backported. Therefore, I think we are not affected.
In light of the importance this vulnerability seems to take, that would be great if someone can double-check my assessment.
Cloud 8 and Cloud 9 use both version 6.7.4, thus not impacted.
Back to Security team.
Thanks Christian for confirming. Closing since we are not affected.