#VU64400 Path traversal


Published: 2022-09-03

Vulnerability identifier: #VU64400

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-32275

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Grafana
Web applications / Other software

Vendor: Grafana Labs

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.

Exploitation example:
/dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd

Mitigation
Install update from vendor's website.

Vulnerable software versions

Grafana: 8.4.3


CPE

External links
http://github.com/BrotherOfJhonny/grafana/blob/main/README.md
http://github.com/grafana/grafana/issues/50336


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability