SSRF in CSV Datasource Plugin
Medium
| Advisory ID: | CVE-2023-5122 |
| Published: | 2024-02-14 |
| Product: | Grafana CSV Plugin |
| CVSS Score: | 5.0 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
| Fixed Versions: | >=0.6.13 |
Summary
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user.
This issue has been patched in plugin version 0.6.13.