Grafana Path Traversal Exploitation CVE-2021-43798
Detects a successful Grafana path traversal exploitation
Sigma rule (View on GitHub)
1title: Grafana Path Traversal Exploitation CVE-2021-43798
2id: 7b72b328-5708-414f-9a2a-6a6867c26e16
3status: test
4description: Detects a successful Grafana path traversal exploitation
5references:
6 - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
7 - https://github.com/search?q=CVE-2021-43798
8author: Florian Roth (Nextron Systems)
9date: 2021-12-08
10modified: 2023-01-02
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - cve.2021-43798
15 - detection.emerging-threats
16logsource:
17 category: webserver
18detection:
19 selection_traversal:
20 cs-uri-query|contains: '/../../../../../../../'
21 sc-status: 200
22 selection_plugins:
23 cs-uri-query|contains:
24 - '/public/plugins/live'
25 - '/public/plugins/icon'
26 - '/public/plugins/loki'
27 - '/public/plugins/text'
28 - '/public/plugins/logs'
29 - '/public/plugins/news'
30 - '/public/plugins/stat'
31 - '/public/plugins/mssql'
32 - '/public/plugins/mixed'
33 - '/public/plugins/mysql'
34 - '/public/plugins/tempo'
35 - '/public/plugins/graph'
36 - '/public/plugins/gauge'
37 - '/public/plugins/table'
38 - '/public/plugins/debug'
39 - '/public/plugins/zipkin'
40 - '/public/plugins/jaeger'
41 - '/public/plugins/geomap'
42 - '/public/plugins/canvas'
43 - '/public/plugins/grafana'
44 - '/public/plugins/welcome'
45 - '/public/plugins/xychart'
46 - '/public/plugins/heatmap'
47 - '/public/plugins/postgres'
48 - '/public/plugins/testdata'
49 - '/public/plugins/opentsdb'
50 - '/public/plugins/influxdb'
51 - '/public/plugins/barchart'
52 - '/public/plugins/annolist'
53 - '/public/plugins/bargauge'
54 - '/public/plugins/graphite'
55 - '/public/plugins/dashlist'
56 - '/public/plugins/piechart'
57 - '/public/plugins/dashboard'
58 - '/public/plugins/nodeGraph'
59 - '/public/plugins/alertlist'
60 - '/public/plugins/histogram'
61 - '/public/plugins/table-old'
62 - '/public/plugins/pluginlist'
63 - '/public/plugins/timeseries'
64 - '/public/plugins/cloudwatch'
65 - '/public/plugins/prometheus'
66 - '/public/plugins/stackdriver'
67 - '/public/plugins/alertGroups'
68 - '/public/plugins/alertmanager'
69 - '/public/plugins/elasticsearch'
70 - '/public/plugins/gettingstarted'
71 - '/public/plugins/state-timeline'
72 - '/public/plugins/status-history'
73 - '/public/plugins/grafana-clock-panel'
74 - '/public/plugins/grafana-simple-json-datasource'
75 - '/public/plugins/grafana-azure-monitor-datasource'
76 condition: all of selection*
77falsepositives:
78 - Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error
79fields:
80 - c-ip
81 - c-dns
82level: critical
References
-
Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 which include an important high severity security fix. If you are affected, we recommend that you install newly released versions.
Read More -
GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt