Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Active Scanner does not detect CVE-2021-43798 (Grafana Directory Traversal File Read)

dj | Last updated: Dec 14, 2021 07:02PM UTC

Hi, Grafana recently posted about a vulnerability (CVE-2021-43798) in their product at https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ This vulnerability consists of a file read via path traversal in the url. I noticed that Burp's Active scan is unable to detect this vulnerability in a vulnerable version of the product, regardless of the active scan settings I choose. Tested on Burp Pro v2021.10.3, and Pro 1.7.37. The scanner does attempt traversals in the url path for /etc/passwd, however it traverses up a directory before adding the traversal payload, which results in the vulnerability not being detected. e.g. Vulnerable path is /public/plugins/text/<traversal> I make the request "GET /public/plugins/text/ HTTP/1.1" and select "Do Active Scan" however the scanner loses the "text" folder in traversal attempts and makes requests like: GET /public/plugins/../../../../../../../../../../../../../../../../etc/passwd/ HTTP/1.1 I am able to make the scanner successfully detect the traversal by either - adding a dummy folder after the vulnerable path: /public/plugins/text/a/ - Adding a manual insertion point and using "Scan defined insertion points": /public/plugins/text/§§ In addition the scanner appears to always add a trailing slash after the filename. While this works for the file read in this case, I have found other vulnerabilities where the trailing slash would prevent a file read that would otherwise work. This is a straightforward vulnerability that I would expect Burp scanner to be able to detect without those changes. Could you please look into this?

Liam, PortSwigger Agent | Last updated: Dec 15, 2021 01:48PM UTC

Hi Daniel. I think our research team considered this in this Twitter thread - https://twitter.com/PortSwiggerRes/status/1468878627102248963 "It might not be the case if you just run the scanner & crawler on the main Grafana page without authentication. But you always can cherry-pick interesting requests from the proxy and scan them manually."

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.