Grid Protection Alliance
Grid Solutions Division

Response to Grafana Vulnerability Update

January 2022

The version of Grafana distributed with the latest openHistorian is 7.3.4. Deployed standalone versions of Grafana prior to versions 8.3.2 and 7.5.12 are affected by the following vulnerability: CVE-2021-43813. This is a directory traversal vulnerability for fully lowercase or fully uppercase .md files which is limited in scope and allows access to files with the extension .md to authenticated users only.
Importantly, however, this vulnerability does not affect Grafana instances hosted by the openHistorian. The Grafana instance hosted by the openHistorian runs behind a reverse proxy in the openHistorian web interface. The openHistorian web interface normalizes the PATH requests going to Grafana which mitigates the vulnerability. The only access allowed to the openHistorian hosted Grafana instance is through the openHistorian web interface that requires user authentication.