Grafana datasource network restrictions bypass
Medium
| Advisory ID: | CVE-2023-4399 |
| Published: | 2023-10-12 |
| Product: | Grafana |
| CVSS Score: | 6.6 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L |
Summary
Grafana is an open-source platform for monitoring and observability.
In Grafana, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.
However, the restriction can be bypassed used punycode encoding of the characters in the request address.
Credits: leixiao of Syclover Security Team.