A high-severity path traversal vulnerability in the Grafana Loki datasource plugin could allow unauthorized actors to read arbitrary files from the underlying server.

This is a path traversal vulnerability located in the callResource handler of the Loki plugin. Depending on the plugin configuration, this flaw may be reachable by authenticated users, potentially leading to unauthorized information disclosure.

The ability to perform path traversal poses a significant risk to data confidentiality, as attackers could potentially read sensitive configuration files, credentials, or system data. With a CVSS score of 7.7, this vulnerability is categorized as High, reflecting the potential for significant impact on system integrity and the exposure of sensitive organizational data.

Immediate Action: Identify and apply the security patch provided by Grafana to the affected Loki datasource plugin version.

Proactive Monitoring: Review web server and application logs for suspicious directory traversal patterns, such as sequences like "../" in requests directed toward the plugin endpoint.

Compensating Controls: Implement Web Application Firewall (WAF) rules designed to detect and block path traversal attempts and directory traversal payloads.

Public Exploit Available: false

Given the High severity of this vulnerability, immediate action is required to secure affected Grafana instances. Administrators should verify the current plugin version against the vendor's security advisory and prioritize patching to prevent potential unauthorized access to sensitive system resources.