CVE-2021-43813

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-43813
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43813.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-43813
Aliases
Downstream
Related
Published
2021-12-10T18:15:08.260Z
Modified
2026-02-02T21:35:01.819260Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/./markdown/. without losing any functionality beyond inlined plugin help text.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
af6e28366bf3413ee3af56c540513dd70f467c41
Fixed
896df7435dfd03ce9f4665e7af8c07fc72743283
Introduced
41f0542c1ec16ce93b336a9f5cf6eef1aba898d0
Fixed
afb9e8e5f3c33fa59c5a1053d98d8d97815af002

Affected versions

v5.*
v5.,2.4
v5.0.0
v6.*
v6.0.0-beta1
v6.5
v7.*
v7.5.0
v7.5.0-beta1
v7.5.0-beta2
v7.5.1
v7.5.10
v7.5.11
v7.5.2
v7.5.3
v7.5.4
v7.5.5
v7.5.6
v7.5.7
v7.5.8
v7.5.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43813.json"