Server Side Request Forgery in Grafana OnCall by Grafana Labs
CVE-2024-5526

9.1CRITICAL

Key Information:

Vendor: Grafana
Status: Oncall
Vendor: CVE Published:; 5 June 2024

What is CVE-2024-5526?

Grafana OnCall, an on-call management tool designed to enhance workflows for engineers, is affected by a Server Side Request Forgery (SSRF) vulnerability in its webhook functionality. This vulnerability exists in versions prior to 1.5.2, allowing unauthorized access to internal resources through crafted requests. The issue has been addressed with a fix provided in version 1.5.2, emphasizing the importance of updating to maintain security.

References

https://grafana.com/security/security-advisories/cve-2024...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2024