Bug 1193492 - (CVE-2021-43798) VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin
VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-12-07 16:53 UTC by Thomas Leroy
Modified: 2021-12-13 08:21 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Screenshot of a poc (371.59 KB, image/jpeg)
2021-12-07 16:53 UTC, Thomas Leroy

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-12-07 16:53:27 UTC
Created attachment 854380 [details]
Screenshot of a poc

An arbitrary file read has been dropped on Twitter on 2021-12-04. For the moment, no upstream fix is given.

A quick analysis of the code make the vuln probable, but we should monitor for acknowledgement from Grafana dev team, as well as a fix.

Probable vulnerable code is in getPluginAssets method, in grafana/blob/main/pkg/api/plugins.go:284.

Comment 3 Thomas Leroy 2021-12-08 16:27:59 UTC
The vulnerable commit [0] has been introduced in v8.0.0. But every version that we ship is <7.5.11. Moreover, I checked that the vulnerable commit has not been backported. Therefore, I think we are not affected.
In light of the importance this vulnerability seems to take, that would be great if someone can double-check my assessment.

[0] https://github.com/grafana/grafana/commit/c37a3bebb7b5eb3a0bee5ffb26798282f0abead0
Comment 4 Christian Almeida de Oliveira 2021-12-09 15:31:21 UTC
Cloud 8 and Cloud 9 use both version 6.7.4, thus not impacted.
Back to Security team.
Comment 5 Thomas Leroy 2021-12-13 08:21:39 UTC
Thanks Christian for confirming. Closing since we are not affected.