Moderate severityNVD Advisory· Published Dec 10, 2021· Updated Aug 4, 2024

Grafana directory traversal for `.cvs` files

CVE-2021-43815

Description

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/grafana/grafanaGo	>= 8.0.0-beta3, < 8.3.2	8.3.2

Affected products

Grafana/Grafanav5
Range: >= 8.0.0-beta3, < 8.3.2

Patches

fd48aee61e43

chore(release-notes): add release notes for 8.2.3 and 7.5.12 (#42987)

https://github.com/grafana/grafanaTimur OlzhabayevDec 10, 2021via ghsa

commit

5 files changed · +38 −2

CHANGELOG.md+8 −0 modified

@@ -1,3 +1,11 @@
+<!-- 8.3.2 START -->
+
+# 8.3.2 (2021-12-10)
+
+- **Security**: Fixes CVE-2021-43813 and CVE-2021-PENDING. For more information, see our [blog](https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
+
+<!-- 8.3.2 END -->
+
 <!-- 8.3.1 START -->
 
 # 8.3.1 (2021-12-07)

docs/sources/release-notes/_index.md+2 −0 modified

@@ -8,6 +8,7 @@ weight = 10000
 Here you can find detailed release notes that list everything that is included in every release as well as notices
 about deprecations, breaking changes as well as changes that relate to plugin development.
 
+- [Release notes for 8.3.2]({{< relref "release-notes-8-3-2" >}})
 - [Release notes for 8.3.1]({{< relref "release-notes-8-3-1" >}})
 - [Release notes for 8.3.0]({{< relref "release-notes-8-3-0" >}})
 - [Release notes for 8.3.0-beta2]({{< relref "release-notes-8-3-0-beta2" >}})
@@ -45,6 +46,7 @@ about deprecations, breaking changes as well as changes that relate to plugin de
 - [Release notes for 8.0.0-beta3]({{< relref "release-notes-8-0-0-beta3" >}})
 - [Release notes for 8.0.0-beta2]({{< relref "release-notes-8-0-0-beta2" >}})
 - [Release notes for 8.0.0-beta1]({{< relref "release-notes-8-0-0-beta1" >}})
+- [Release notes for 7.5.12]({{< relref "release-notes-7-5-12" >}})
 - [Release notes for 7.5.11]({{< relref "release-notes-7-5-11" >}})
 - [Release notes for 7.5.10]({{< relref "release-notes-7-5-10" >}})
 - [Release notes for 7.5.9]({{< relref "release-notes-7-5-9" >}})

docs/sources/release-notes/release-notes-7-5-12.md+13 −0 added

@@ -0,0 +1,13 @@
++++
+title = "Release notes for Grafana 7.5.12"
+[_build]
+list = false
++++
+
+<!-- Auto generated by update changelog github action -->
+
+# Release notes for Grafana 7.5.12
+
+### Bug fixes
+
+- **Security**: Fixes CVE-2021-43813 and CVE-2021-PENDING. For more information, see our [blog](https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/)

docs/sources/release-notes/release-notes-8-3-2.md+13 −0 added

@@ -0,0 +1,13 @@
++++
+title = "Release notes for Grafana 8.3.2"
+[_build]
+list = false
++++
+
+<!-- Auto generated by update changelog github action -->
+
+# Release notes for Grafana 8.3.2
+
+### Bug fixes
+
+- **Security**: Fixes CVE-2021-43813 and CVE-2021-PENDING. For more information, see our [blog](https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/)

latest.json+2 −2 modified

@@ -1,4 +1,4 @@
 {
-  "stable": "8.3.1",
-  "testing": "8.3.1"
+  "stable": "8.3.2",
+  "testing": "8.3.2"
 }

d6ec6f8ad28f

Backport fix to main (#42979)

https://github.com/grafana/grafanaMarcus EfraimssonDec 10, 2021via ghsa

commit

2 files changed · +13 −8

pkg/api/plugins.go+10 −6 modified

@@ -490,15 +490,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}
 
 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
-	path := filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
+	path := filepath.Join(plugin.PluginDir, mdFilepath(strings.ToUpper(name)))
 	exists, err := fs.Exists(path)
 	if err != nil {
 		return nil, err
 	}
 	if !exists {
-		path = filepath.Join(plugin.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
+		path = filepath.Join(plugin.PluginDir, mdFilepath(strings.ToLower(name)))
 	}
 
 	exists, err = fs.Exists(path)
@@ -510,11 +510,15 @@ func (hs *HTTPServer) pluginMarkdown(ctx context.Context, pluginId string, name
 	}
 
 	// nolint:gosec
-	// We can ignore the gosec G304 warning on this one because `plugin.PluginDir` is based
-	// on plugin the folder structure on disk and not user input.
+	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
+	// use this with a prefix of the plugin's directory, which is set during plugin loading
 	data, err := ioutil.ReadFile(path)
 	if err != nil {
 		return nil, err
 	}
 	return data, nil
 }
+
+func mdFilepath(mdFilename string) string {
+	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
+}

pkg/tsdb/testdatasource/csv_data.go+3 −2 modified

@@ -77,13 +77,14 @@ func (s *Service) handleCsvFileScenario(ctx context.Context, req *backend.QueryD
 }
 
 func (s *Service) loadCsvFile(fileName string) (*data.Frame, error) {
-	validFileName := regexp.MustCompile(`([\w_]+)\.csv`)
+	validFileName := regexp.MustCompile(`^\w+\.csv$`)
 
 	if !validFileName.MatchString(fileName) {
 		return nil, fmt.Errorf("invalid csv file name: %q", fileName)
 	}
 
-	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", fileName)
+	csvFilepath := filepath.Clean(filepath.Join("/", fileName))
+	filePath := filepath.Join(s.cfg.StaticRootPath, "testdata", csvFilepath)
 
 	// Can ignore gosec G304 here, because we check the file pattern above
 	// nolint:gosec

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7533-c8qv-jm9mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-43815ghsaADVISORY
www.openwall.com/lists/oss-security/2021/12/10/4ghsamailing-listx_refsource_MLISTWEB
github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3ghsax_refsource_MISCWEB
github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308dghsax_refsource_MISCWEB
github.com/grafana/grafana/releases/tag/v8.3.2ghsax_refsource_MISCWEB
github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9mghsax_refsource_CONFIRMWEB
grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fixghsaWEB
grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/mitrex_refsource_MISC
security.netapp.com/advisory/ntap-20220107-0006ghsaWEB
security.netapp.com/advisory/ntap-20220107-0006/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000