Grafana Path Traversal Exploitation CVE-2021-43798
Detects a successful Grafana path traversal exploitation
Sigma rule (View on GitHub)
1title: Grafana Path Traversal Exploitation CVE-2021-43798
2id: 7b72b328-5708-414f-9a2a-6a6867c26e16
3status: test
4description: Detects a successful Grafana path traversal exploitation
5references:
6 - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
7 - https://github.com/search?q=CVE-2021-43798
8author: Florian Roth (Nextron Systems)
9date: 2021/12/08
10modified: 2023/01/02
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - cve.2021.43798
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection_traversal:
20 cs-uri-query|contains: '/../../../../../../../'
21 sc-status: 200
22 selection_plugins:
23 cs-uri-query|contains:
24 - '/public/plugins/live'
25 - '/public/plugins/icon'
26 - '/public/plugins/loki'
27 - '/public/plugins/text'
28 - '/public/plugins/logs'
29 - '/public/plugins/news'
30 - '/public/plugins/stat'
31 - '/public/plugins/mssql'
32 - '/public/plugins/mixed'
33 - '/public/plugins/mysql'
34 - '/public/plugins/tempo'
35 - '/public/plugins/graph'
36 - '/public/plugins/gauge'
37 - '/public/plugins/table'
38 - '/public/plugins/debug'
39 - '/public/plugins/zipkin'
40 - '/public/plugins/jaeger'
41 - '/public/plugins/geomap'
42 - '/public/plugins/canvas'
43 - '/public/plugins/grafana'
44 - '/public/plugins/welcome'
45 - '/public/plugins/xychart'
46 - '/public/plugins/heatmap'
47 - '/public/plugins/postgres'
48 - '/public/plugins/testdata'
49 - '/public/plugins/opentsdb'
50 - '/public/plugins/influxdb'
51 - '/public/plugins/barchart'
52 - '/public/plugins/annolist'
53 - '/public/plugins/bargauge'
54 - '/public/plugins/graphite'
55 - '/public/plugins/dashlist'
56 - '/public/plugins/piechart'
57 - '/public/plugins/dashboard'
58 - '/public/plugins/nodeGraph'
59 - '/public/plugins/alertlist'
60 - '/public/plugins/histogram'
61 - '/public/plugins/table-old'
62 - '/public/plugins/pluginlist'
63 - '/public/plugins/timeseries'
64 - '/public/plugins/cloudwatch'
65 - '/public/plugins/prometheus'
66 - '/public/plugins/stackdriver'
67 - '/public/plugins/alertGroups'
68 - '/public/plugins/alertmanager'
69 - '/public/plugins/elasticsearch'
70 - '/public/plugins/gettingstarted'
71 - '/public/plugins/state-timeline'
72 - '/public/plugins/status-history'
73 - '/public/plugins/grafana-clock-panel'
74 - '/public/plugins/grafana-simple-json-datasource'
75 - '/public/plugins/grafana-azure-monitor-datasource'
76 condition: all of selection*
77falsepositives:
78 - Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error
79fields:
80 - c-ip
81 - c-dns
82level: critical
References
-
Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 which include an important high severity security fix. If you are affected, we recommend that you install newly released versions.
Read More -
GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.
Read More
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt