SCA: security update for github.com/grafana/grafana (GHSA-7533-c8qv-jm9m)

medium Tenable Cloud Security Plugin ID 434948

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and
7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the
developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited
in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana
Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for
this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front
of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to
also be able to handle url encoded paths. (CVE-2021-43815)

See Also

https://github.com/advisories/GHSA-7533-c8qv-jm9m

Plugin Details

Severity: Medium

ID: 434948

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 8/20/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2021-43815

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/14/2024

Vulnerability Publication Date: 12/10/2021

Reference Information

CVE: CVE-2021-43815

cwe: CWE-22