Grafana 未授权任意文件读取

Grafana 未授权任意文件读取

问题描述

Grafana 8.x API 存在任意文件读取漏洞，未经授权的攻击者可利用该漏洞读取目标服务器任意文件，可导致服务器敏感信息泄漏，目前最新版还没有修复。

存在问题的插件

/public/plugins/alertlist/
/public/plugins/annolist/
/public/plugins/barchart/
/public/plugins/bargauge/
/public/plugins/candlestick/
/public/plugins/cloudwatch/
/public/plugins/dashlist/
/public/plugins/elasticsearch/
/public/plugins/gauge/
/public/plugins/geomap/
/public/plugins/gettingstarted/
/public/plugins/grafana-azure-monitor-datasource/
/public/plugins/graph/
/public/plugins/heatmap/
/public/plugins/histogram/
/public/plugins/influxdb/
/public/plugins/jaeger/
/public/plugins/logs/
/public/plugins/loki/
/public/plugins/mssql/
/public/plugins/mysql/
/public/plugins/news/
/public/plugins/nodeGraph/
/public/plugins/opentsdb
/public/plugins/piechart/
/public/plugins/pluginlist/
/public/plugins/postgres/
/public/plugins/prometheus/
/public/plugins/stackdriver/
/public/plugins/stat/
/public/plugins/state-timeline/
/public/plugins/status-history/
/public/plugins/table/
/public/plugins/table-old/
/public/plugins/tempo/
/public/plugins/testdata/
/public/plugins/text/
/public/plugins/timeseries/
/public/plugins/welcome/
/public/plugins/zipkin/

缓解措施

配置访问控制策略，仅允许白名单地址访问，避免Grafana资产在互联网暴露。