CVE-2023-5123

Summary

CVE-2023-5123 is a newly disclosed vulnerability in Grafana's JSON datasource plugin. This plugin, used for retrieving JSON data from remote endpoints, is maintained by Grafana Labs. The vulnerability lies in the inadequate sanitization of the dashboard-supplied path parameter, allowing for path traversal characters (../) to be included. As a result, an editor could create a dashboard referencing the datasource and issue queries containing these characters, causing the datasource to instead query arbitrary subpaths on the configured domain. If the plugin is configured to point back at the Grafana instance itself, the vulnerability could lead to privilege escalation and unauthorized access to Grafana administrative API endpoints.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.