GHSA-8pjx-jj86-j47p · Severity: high · Ecosystem: go — Grafana path traversal
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.
Conclusion & alert: CVE-2021-43798 is rated Critical Active Threat (84.9/100): CVSS High severity, with high exploitation likelihood (EPSS 88.85%, 100th percentile). Core evidence: CISA KEV confirms active exploitation (added 2025-10-09) affecting Grafana Labs / Grafana. a weakness (CWE-22) Unauthenticated remote administrative access may be possible. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Grafana Path Traversal Vulnerability · CISA KEV detail
: 2025-10-09
: 2025-10-30
: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| 50581 | exploit_db | edb | 2021-12-09 | Exploit-DB ↗ |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 94.44% | 88.85% | -5.59% |
| 2 | 2025-11-21 | 93.81% | 94.44% | +0.63% |
| 3 | 2025-11-18 | — | 93.81% | — |
Full EPSS history (36 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-8pjx-jj86-j47p · Severity: high · Ecosystem: go — Grafana path traversal
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2021-43798: 1 source package rows (grafana); 9 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 2. | https://security.alpinelinux.org/vuln/CVE-2021-43798 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2021-43798 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2021-43798/ |
ubuntu
|
high | CVE-2021-43798 high priority: Ubuntu including 1 source packages (grafana), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 12, ignored 1, needs-triage 1, not-affected 1. | https://ubuntu.com/security/CVE-2021-43798 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| grafana | grafana | >= 8.0.1, < 8.0.7 | cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* |
| grafana | grafana | >= 8.1.0, < 8.1.8 | cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* |
| grafana | grafana | >= 8.2.0, < 8.2.7 | cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* |
| grafana | grafana | 8.0.0 | cpe:2.3:a:grafana:grafana:8.0.0:beta1:*:*:*:*:*:* |
| grafana | grafana | 8.0.0 | cpe:2.3:a:grafana:grafana:8.0.0:beta2:*:*:*:*:*:* |
| grafana | grafana | 8.0.0 | cpe:2.3:a:grafana:grafana:8.0.0:beta3:*:*:*:*:*:* |
| grafana | grafana | 8.3.0 | cpe:2.3:a:grafana:grafana:8.3.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| http://packetstormsecurity.com/files/165198/Grafana-Arbitrary-File-Reading.html | Third Party Advisory VDB Entry |
| http://packetstormsecurity.com/files/165221/Grafana-8.3.0-Directory-Traversal-Arbitrary-File-Read.html | Exploit Third Party Advisory VDB Entry |
| http://www.openwall.com/lists/oss-security/2021/12/09/2 | Mailing List Patch Third Party Advisory |
| http://www.openwall.com/lists/oss-security/2021/12/10/4 | Mailing List Patch Third Party Advisory |
| https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce | Patch Third Party Advisory |
| https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p | Patch Vendor Advisory |
| https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/ | Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20211229-0004/ | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43798 | US Government Resource |