An update on 0day CVE-2021-43798: Grafana directory traversal

Good ol path traversal <a href="https:&#x2F;&#x2F;github.com&#x2F;grafana&#x2F;grafana&#x2F;commit&#x2F;c798c0e958d15d9cc7f27c72113d572fa58545ce#diff-2e51080c3987968b4ea97b2aa6747caced5777413ba75deca2efdcc185cc2b12L293" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;grafana&#x2F;grafana&#x2F;commit&#x2F;c798c0e958d15d9cc7...</a>

Important note: I mixed up CVE-2021-41090 and CVE-2021-43798 in the initial version of the blog post. While that has been corrected and a note added to the blog post, it still lead to some confusion.<p>The 0day is only for Grafana-the-software, not for the Grafana Agent.<p>Also important to note: While the overall course of events is clearly less than ideal, we still strongly believe that Jordy did us good. Mistakes happen, and the intention was good. Overall, Grafana is now more secure than it was last week.

I wrote a script today to try and exploit this on our Grafana 8.1.2 instance but couldn&#x27;t. Using Oauth for auth and only got 302 redirects back to the login page. Anyone else able to exploit this with Oauth?

&gt; 2021-12-03 08:42: Jordy tweets and deletes about “read arbitrary files on the host, no authentication needed” (Editor’s note: We were not aware of this until 2021-12-07.)<p>Doesn&#x27;t quite sound like an &quot;ethical hacker&quot; to me.

As far as I can see the post does not mention the affected releases nor the versions to upgrade to.<p>Is 8.3.1 patched?

Affects all 8.x releases

Note: postmortem has a more dire meaning in non-tech circles (literally means &quot;after death&quot;). You want to say retrospective instead. I know it&#x27;s a difference in culture.

&gt; 2021-12-03: Release plan set: 2021-12-07 for private customer release, 2021-12-14 for public release<p>Does someone know why they were playing on sitting on the public release for a week after private release?<p>Seems that by doing this they allowed it to become a 0day.