Platform
other
Component
marcusolsson-json-datasource
Fixed in
1.3.21
CVE-2023-5123 is a path traversal vulnerability affecting the Grafana JSON Datasource Plugin, a Grafana Labs maintained plugin. This flaw allows attackers to potentially access sensitive files on the server hosting the Grafana instance by manipulating the dashboard-supplied path parameter. Versions 0.2.0 through 1.3.21 are vulnerable. A fix is available in version 1.3.21.
An attacker can exploit this vulnerability by crafting a malicious dashboard that includes path traversal sequences (../) in the path parameter. This allows them to bypass the intended sub-path restriction and access files outside of the configured directory. The potential impact ranges from reading sensitive configuration files to potentially executing arbitrary code if the server's file system is misconfigured. The blast radius extends to any Grafana instance utilizing the vulnerable plugin, potentially exposing data and compromising the entire system. This vulnerability shares similarities with other path traversal exploits, highlighting the importance of strict input validation.
CVE-2023-5123 was publicly disclosed on February 14, 2024. No known public proof-of-concept exploits are currently available, but the vulnerability's ease of exploitation suggests a potential for rapid exploitation. It is not currently listed on CISA KEV. The CVSS score of 8 (HIGH) indicates a significant risk.
Exploit Status
EPSS
0.53% (67% percentile)
CVSS Vector
The primary mitigation is to upgrade the Grafana JSON Datasource Plugin to version 1.3.21 or later. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (../) in the path parameter. Additionally, review the Grafana instance's configuration to ensure that the JSON Datasource Plugin is configured with the most restrictive path possible. After upgrading, confirm the fix by attempting to access a file outside the intended sub-path via a Grafana dashboard; the request should be denied.
Actualice el plugin JSON Datasource a la versión 1.3.21 o superior. Esta versión corrige la vulnerabilidad de path traversal. Consulte el advisory de seguridad de Grafana para obtener más detalles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5123 is a path traversal vulnerability in the Grafana JSON Datasource Plugin, allowing attackers to access files outside the intended directory by manipulating the dashboard path parameter.
You are affected if you are using Grafana with the JSON Datasource Plugin versions 0.2.0 through 1.3.21. Upgrade to 1.3.21 or later to resolve the issue.
Upgrade the Grafana JSON Datasource Plugin to version 1.3.21 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for exploitation. Monitor your Grafana instances closely.
Refer to the official Grafana security advisory: https://grafana.com/grafana/plugins/marcusolsson-json-datasource/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.