SSRF in CSV Datasource Plugin
Advisory ID: | CVE-2023-5122 |
Published: | 2024-02-14 |
Product: | Grafana CSV Plugin |
CVSS Score: | 5.0 |
CVSS Vector: | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
Fixed Versions: | >=0.6.13 |
Summary
Grafana is an open-source platform for monitoring and observability. The CSV datasource plugin is a Grafana Labs maintained plugin that allows for retrieving and processing CSV data from a remote endpoint configured by an administrator. If this plugin was configured to send requests to a bare host with no path (e.g. https://www.example.com/
), requests to an endpoint other than the one configured by the administrator could be triggered by a specially crafted request from any user.
This issue has been patched in plugin version 0.6.13.