Back to KEVs

CVE-2021-43798

Grafana path traversal

Basic Information

CVE State
PUBLISHED
Reserved Date
November 16, 2021
Published Date
December 07, 2021
Last Updated
October 21, 2025
Vendor
grafana
Product
grafana
Description
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2026-06-01 13:30:37 UTC) Source
Proof of Concept Available
Yes (added 2021-12-07 09:02:16 UTC) Source

References

https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html http://www.openwall.com/lists/oss-security/2021/12/09/2 http://www.openwall.com/lists/oss-security/2021/12/10/4 https://security.netapp.com/advisory/ntap-20211229-0004/

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:41:56 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-43798.yaml 2025-04-25 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

monke443/CVE-2021-43798

Type: github • Created: 2025-03-06 17:31:27 UTC • Stars: 2

Arbitrary file read in Grafana allows an attacker to read server files by abusing a path traversal.

0xSAZZAD/Grafana-CVE-2021-43798

Type: github • Created: 2024-10-05 18:51:12 UTC • Stars: 2

Python implementation of a tool for decrypting and encrypting sensitive data in Grafana, specifically addressing the vulnerabilities associated with CVE-2021-43798. Grafana encrypts all data source passwords using the AES algorithm with the secret_key found in the defaults.ini configuration file.

Sic4rio/Grafana-Decryptor-for-CVE-2021-43798

Type: github • Created: 2024-07-02 08:43:45 UTC • Stars: 3

Grafana Decryptor for CVE-2021-43798

K3ysTr0K3R/CVE-2021-43798-EXPLOIT

Type: github • Created: 2024-03-04 18:32:21 UTC • Stars: 4

A PoC exploit for CVE-2021-43798 - Grafana Directory Traversal

katseyres2/CVE-2021-43798

Type: github • Created: 2023-10-26 14:21:49 UTC • Stars: 0

hupe1980/CVE-2021-43798

Type: github • Created: 2022-10-08 15:31:19 UTC • Stars: 3

Grafana - Directory Traversal and Arbitrary File Read

rodpwn/CVE-2021-43798-mass_scanner

Type: github • Created: 2022-01-08 02:58:18 UTC • Stars: 5

rnsss/CVE-2021-43798-poc

Type: github • Created: 2022-01-06 09:25:35 UTC • Stars: 0

Grafana8.x 任意文件读取

Ryze-T/CVE-2021-43798

Type: github • Created: 2021-12-14 17:05:41 UTC • Stars: 2

Grafana8.x 任意文件读取

pedrohavay/exploit-grafana-CVE-2021-43798

Type: github • Created: 2021-12-11 18:49:30 UTC • Stars: 40

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

LongWayHomie/CVE-2021-43798

Type: github • Created: 2021-12-11 16:24:58 UTC • Stars: 1

CVE-2021-43798 is a vulnerability marked as High priority (CVSS 7.5) leading to arbitrary file read via installed plugins in Grafana application.

fanygit/Grafana-CVE-2021-43798Exp

Type: github • Created: 2021-12-09 11:25:47 UTC • Stars: 2

CVE-2021-43798Exp多线程批量验证脚本

Mo0ns/Grafana_POC-CVE-2021-43798

Type: github • Created: 2021-12-09 09:53:25 UTC • Stars: 9

Grafana-POC任意文件读取漏洞(CVE-2021-43798)

z3n70/CVE-2021-43798

Type: github • Created: 2021-12-09 09:48:40 UTC • Stars: 5

Simple program for exploit grafana

s1gh/CVE-2021-43798

Type: github • Created: 2021-12-08 14:14:38 UTC • Stars: 4

M0ge/CVE-2021-43798-grafana_fileread

Type: github • Created: 2021-12-08 03:43:31 UTC • Stars: 17

grafana CVE-2021-43798任意文件读取漏洞POC,采用多插件轮训检测的方法,允许指定单URL和从文件中读取URL

asaotomo/CVE-2021-43798-Grafana-Exp

Type: github • Created: 2021-12-07 14:06:26 UTC • Stars: 11

Grafanav8.*版本任意文件读取漏洞批量检测工具:该漏洞目前为0day漏洞,未授权的攻击者利用该漏洞,能够获取服务器敏感文件。

Mr-xn/CVE-2021-43798

Type: github • Created: 2021-12-07 12:47:58 UTC • Stars: 25

CVE-2021-43798:Grafana 任意文件读取漏洞

ScorpionsMAX/CVE-2021-43798-Grafana-POC

Type: github • Created: 2021-12-07 10:43:30 UTC • Stars: 14

CVE-2021-43798 Grafana 任意文件读取漏洞 POC+参数

jas502n/Grafana-CVE-2021-43798

Type: github • Created: 2021-12-07 09:02:16 UTC • Stars: 358

Grafana Unauthorized arbitrary file reading vulnerability

zer0yu/CVE-2021-43798

Type: github • Created: 2021-12-07 08:59:11 UTC • Stars: 27

Grafana Arbitrary File Reading Vulnerability

taythebot/CVE-2021-43798

Type: github • Created: 2021-12-06 20:10:23 UTC • Stars: 37

CVE-2021-43798 - Grafana 8.x Path Traversal (Pre-Auth)

Timeline

  • CVE ID Reserved

  • Proof of Concept Exploit Available

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel