Grafana is an open-source platform for monitoring and observability.
In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.
However, the restriction can be bypassed used punycode encoding of the characters in the request address.
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Grafana | Grafana | 9.4.0 (including) | 9.4.17 (excluding) |
| Grafana | Grafana | 9.5.0 (including) | 9.5.13 (excluding) |
| Grafana | Grafana | 10.0.0 (including) | 10.0.9 (excluding) |
| Grafana | Grafana | 10.1.0 (including) | 10.1.5 (excluding) |
| Grafana | Ubuntu | xenial | * |