Alpine: multiple grafana packages: security update to 8.3.2-r0

medium Tenable Cloud Security Plugin ID 404802

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and
7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The
vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated
users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to
patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of
Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to
also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files,
users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help
text. (CVE-2021-43813)

- Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and
7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the
developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited
in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana
Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for
this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front
of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to
also be able to handle url encoded paths. (CVE-2021-43815)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-43813

https://security.alpinelinux.org/vuln/CVE-2021-43815

Plugin Details

Severity: Medium

ID: 404802

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2021-43813

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-43815

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/10/2021

Reference Information

CVE: CVE-2021-43813, CVE-2021-43815