SSRF in CSV Datasource Plugin

Medium
Advisory ID:CVE-2023-5122
Published:2024-02-14
Product:Grafana CSV Plugin
CVSS Score:5.0
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Fixed Versions:
>=0.6.13

Summary

Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user.

This issue has been patched in plugin version 0.6.13.