Grafana JSON datasource plugin vulnerability
CVE-2023-5123

8HIGH

Key Information:

Vendor: Grafana
Status: Grafana-json-datasource
Vendor: CVE Published:; 14 February 2024

Summary

The JSON datasource plugin maintained by Grafana Labs allows administrators to retrieve and process JSON data from remote endpoints. However, a vulnerability exists due to insufficient sanitization of the path parameter supplied in dashboards. This flaw enables attackers to include path traversal characters, allowing requests to arbitrary subpaths on the configured endpoint. In scenarios where the datasource is set to point back to the Grafana instance, the situation escalates, potentially allowing for unauthorized access to sensitive administrative API endpoints. This vulnerability underscores the importance of robust input validation and the need for security measures in dashboard configurations.

Affected Version(s)

grafana-json-datasource 0.2.0 < 1.3.21

References

https://grafana.com/security/security-advisories/cve-2023...

https://security.netapp.com/advisory/ntap-20240503-0007/

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2024
Vulnerability Reserved
Sep 22, 2023