title: Grafana Path Traversal Exploitation CVE-2021-43798
id: 7b72b328-5708-414f-9a2a-6a6867c26e16
status: experimental
description: Detects a successful Grafana path traversal exploitation 
author: Florian Roth
references:
  - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
  - https://github.com/search?q=CVE-2021-43798
date: 2021/12/08
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
detection:
  selection_traversal:
    c-uri|contains: '/../../../../../../../'
    sc-status: 200
  selection_plugins:
    c-uri|contains:
        - '/public/plugins/live'
        - '/public/plugins/icon'
        - '/public/plugins/loki'
        - '/public/plugins/text'
        - '/public/plugins/logs'
        - '/public/plugins/news'
        - '/public/plugins/stat'
        - '/public/plugins/mssql'
        - '/public/plugins/mixed'
        - '/public/plugins/mysql'
        - '/public/plugins/tempo'
        - '/public/plugins/graph'
        - '/public/plugins/gauge'
        - '/public/plugins/table'
        - '/public/plugins/debug'
        - '/public/plugins/zipkin'
        - '/public/plugins/jaeger'
        - '/public/plugins/geomap'
        - '/public/plugins/canvas'
        - '/public/plugins/grafana'
        - '/public/plugins/welcome'
        - '/public/plugins/xychart'
        - '/public/plugins/heatmap'
        - '/public/plugins/postgres'
        - '/public/plugins/testdata'
        - '/public/plugins/opentsdb'
        - '/public/plugins/influxdb'
        - '/public/plugins/barchart'
        - '/public/plugins/annolist'
        - '/public/plugins/bargauge'
        - '/public/plugins/graphite'
        - '/public/plugins/dashlist'
        - '/public/plugins/piechart'
        - '/public/plugins/dashboard'
        - '/public/plugins/nodeGraph'
        - '/public/plugins/alertlist'
        - '/public/plugins/histogram'
        - '/public/plugins/table-old'
        - '/public/plugins/pluginlist'
        - '/public/plugins/timeseries'
        - '/public/plugins/cloudwatch'
        - '/public/plugins/prometheus'
        - '/public/plugins/stackdriver'
        - '/public/plugins/alertGroups'
        - '/public/plugins/alertmanager'
        - '/public/plugins/elasticsearch'
        - '/public/plugins/gettingstarted'
        - '/public/plugins/state-timeline'
        - '/public/plugins/status-history'
        - '/public/plugins/grafana-clock-panel'
        - '/public/plugins/grafana-simple-json-datasource'
        - '/public/plugins/grafana-azure-monitor-datasource'
  condition: all of selection*
fields:
  - c-ip
  - c-dns
falsepositives:
  - Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error
level: critical