{"api_version":"1","generated_at":"2026-04-23T00:40:42+00:00","cve":"CVE-2021-43798","urls":{"html":"https://cve.report/CVE-2021-43798","api":"https://cve.report/api/cve/CVE-2021-43798.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-43798","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-43798"},"summary":{"title":"CVE-2021-43798","description":"Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2021-12-07 19:15:00","updated_at":"2022-04-12 18:06:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce","name":"https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce","refsource":"MISC","tags":[],"title":"Security: Fix directory traversal issue (#42846) · grafana/grafana@c798c0e · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/","name":"https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/","refsource":"CONFIRM","tags":[],"title":"An update on 0day CVE-2021-43798: Grafana directory traversal | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html","name":"http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html","refsource":"MISC","tags":[],"title":"Grafana Arbitrary File Reading ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/12/09/2","name":"[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2021-43798 Grafana directory traversal","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20211229-0004/","name":"https://security.netapp.com/advisory/ntap-20211229-0004/","refsource":"CONFIRM","tags":[],"title":"December 2021 Grafana Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p","name":"https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p","refsource":"CONFIRM","tags":[],"title":"Grafana path traversal · Advisory · grafana/grafana · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2021/12/10/4","name":"[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files","refsource":"MLIST","tags":[],"title":"oss-security - CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for\n some .md and .csv files","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html","name":"http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html","refsource":"MISC","tags":[],"title":"Grafana 8.3.0 Directory Traversal / Arbitrary File Read ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-43798","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43798","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"43798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"8.0.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"8.0.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"8.0.0","cpe7":"beta3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"43798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"8.3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2021","cve_id":"43798","cve":"CVE-2021-43798","vendorProject":"Grafana Labs","product":"Grafana","vulnerabilityName":"Grafana Path Traversal Vulnerability","dateAdded":"2025-10-09","shortDescription":"Grafana contains a path traversal vulnerability that could allow access to local files.","requiredAction":"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.","dueDate":"2025-10-30","knownRansomwareCampaignUse":"Unknown","notes":"https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ ; https://nvd.nist.gov/vuln/detail/CVE-2021-43798","cwes":"CWE-22","catalogVersion":"2026.04.22","updated_at":"2026-04-22 20:03:10"},"epss":{"cve_year":"2021","cve_id":"43798","cve":"CVE-2021-43798","epss":"0.944380000","percentile":"0.999880000","score_date":"2026-04-22","updated_at":"2026-04-23 00:03:16"},"legacy_qids":[{"cve":"CVE-2021-43798","qid":"150439","title":"Grafana Path Traversal Vulnerability (CVE-2021-43798)"},{"cve":"CVE-2021-43798","qid":"502097","title":"Alpine Linux Security Update for grafana"},{"cve":"CVE-2021-43798","qid":"502302","title":"Alpine Linux Security Update for grafana"},{"cve":"CVE-2021-43798","qid":"690738","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for grafana (e33880ed-5802-11ec-8398-6c3be5272acd)"},{"cve":"CVE-2021-43798","qid":"730294","title":"Grafana Path Traversal Vulnerability"},{"cve":"CVE-2021-43798","qid":"752251","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)"},{"cve":"CVE-2021-43798","qid":"752995","title":"SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2022:4428-1)"},{"cve":"CVE-2021-43798","qid":"755764","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2024:0487-1)"},{"cve":"CVE-2021-43798","qid":"997073","title":"GO (Go) Security Update for github.com/grafana/grafana (GHSA-8pjx-jj86-j47p)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2021-43798","STATE":"PUBLIC","TITLE":"Grafana path traversal"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"grafana","version":{"version_data":[{"version_value":">= 8.0.0, < 8.0.7"},{"version_value":">= 8.1.0, < 8.1.8"},{"version_value":">= 8.2.0, < 8.2.7"},{"version_value":"= 8.3.0"}]}}]},"vendor_name":"grafana"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]},"references":{"reference_data":[{"name":"https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p","refsource":"CONFIRM","url":"https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p"},{"name":"https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce","refsource":"MISC","url":"https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html","url":"http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html"},{"refsource":"CONFIRM","name":"https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/","url":"https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html","url":"http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html"},{"refsource":"MLIST","name":"[oss-security] 20211209 CVE-2021-43798 Grafana directory traversal","url":"http://www.openwall.com/lists/oss-security/2021/12/09/2"},{"refsource":"MLIST","name":"[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files","url":"http://www.openwall.com/lists/oss-security/2021/12/10/4"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20211229-0004/","url":"https://security.netapp.com/advisory/ntap-20211229-0004/"}]},"source":{"advisory":"GHSA-8pjx-jj86-j47p","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2021-12-07 19:15:00","lastModifiedDate":"2022-04-12 18:06:00","problem_types":["CWE-22"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.2.0","versionEndExcluding":"8.2.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.1.0","versionEndExcluding":"8.1.8","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.1","versionEndExcluding":"8.0.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:8.3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:8.0.0:beta1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:8.0.0:beta2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:8.0.0:beta3:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"43798","Ordinal":"221367","Title":"CVE-2021-43798","CVE":"CVE-2021-43798","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"43798","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}