Plattform
other
Komponente
marcusolsson-json-datasource
Behoben in
1.3.21
CVE-2023-5123 is a path traversal vulnerability affecting the Grafana JSON Datasource Plugin, a Grafana Labs maintained plugin. This flaw allows attackers to potentially access sensitive files on the server hosting the Grafana instance by manipulating the dashboard-supplied path parameter. Versions 0.2.0 through 1.3.21 are vulnerable. A fix is available in version 1.3.21.
An attacker exploiting this vulnerability could craft malicious Grafana dashboards that include path traversal sequences (../) in the configured endpoint path. This allows them to bypass the intended sub-path restriction and access arbitrary files on the server hosting the JSON datasource endpoint. The potential impact includes exposure of sensitive configuration files, database credentials, or other confidential data. The blast radius depends on the permissions of the user running the Grafana server and the access controls on the underlying file system. Successful exploitation could lead to significant data breaches and system compromise.
CVE-2023-5123 was publicly disclosed on February 14, 2024. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation is relatively high due to the straightforward nature of path traversal attacks and the plugin's widespread use in Grafana deployments.
Organizations using Grafana with the JSON Datasource Plugin are at risk, particularly those with dashboards configured by multiple users or those who have not implemented strict input validation measures. Shared hosting environments where multiple Grafana instances share the same server are also at increased risk.
• linux / server:
journalctl -u grafana | grep -i "path traversal"• generic web:
curl -I 'http://your-grafana-instance/d/YOUR_DASHBOARD/your-query?path=../../../../etc/passwd' # Attempt to access sensitive filedisclosure
Exploit-Status
EPSS
0.53% (67% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-5123 is to upgrade the Grafana JSON Datasource Plugin to version 1.3.21 or later. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting access to the Grafana server, implementing strict input validation on the endpoint path parameter, or using a Web Application Firewall (WAF) to block requests containing path traversal sequences. Monitor Grafana logs for suspicious activity, particularly requests containing '../' sequences. After upgrading, confirm the fix by attempting to access files outside the intended sub-path via a Grafana dashboard – the request should be denied.
Actualice el plugin JSON Datasource a la versión 1.3.21 o superior. Esta versión corrige la vulnerabilidad de path traversal. Consulte el advisory de seguridad de Grafana para obtener más detalles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-5123 is a path traversal vulnerability in the Grafana JSON Datasource Plugin, allowing attackers to access files outside the intended directory by manipulating the dashboard path parameter.
You are affected if you are using Grafana with the JSON Datasource Plugin versions 0.2.0 through 1.3.21. Upgrade to 1.3.21 or later to resolve the issue.
Upgrade the Grafana JSON Datasource Plugin to version 1.3.21 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation. Monitor your Grafana instances closely.
Refer to the official Grafana security advisory: https://grafana.com/grafana/plugins/marcusolsson-json-datasource/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.