U.S. CISA adds Grafana flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Grafana flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Grafana flaw, tracked as CVE-2021-43798 (CVSS score 7.5), to its Known Exploited Vulnerabilities (KEV) catalog.

Grafana is an open-source platform for monitoring and observability. 

This flaw is a directory traversal vulnerability affecting versions 8.0.0-beta1 through 8.3.0 (except patched releases). Attackers can exploit the flaw to access local files on the server by manipulating the plugin path in the URL:

<grafana_host_url>/public/plugins/<plugin-id>/

By exploiting this path, an attacker could read sensitive files outside the intended directories, potentially exposing system or configuration data.

Grafana Cloud was never affected, but self-hosted instances must update to versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1 to fix the issue.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by October 30, 2025.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)