Description
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts. However, the restriction can be bypassed used punycode encoding of the characters in the request address.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low
Affected products
- Grafana / Grafana Enterprise10.1.0 – 10.1.5
- Grafana / Grafana Enterprise10.0.0 – 10.0.9
- Grafana / Grafana Enterprise9.5.0 – 9.5.13
- Grafana / Grafana Enterprise9.4.0 – 9.4.17