CVE-2021-43780 - OpenCVE

Vendors	Products
Redash	Redash

Link	Providers
https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099
https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7

{"containers": {"cna": {"affected": [{"product": "redash", "vendor": "getredash", "versions": [{"status": "affected", "version": "<= 10.0.0"}]}], "descriptions": [{"lang": "en", "value": "Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-23T23:55:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"}], "source": {"advisory": "GHSA-fcpv-hgq6-87h7", "discovery": "UNKNOWN"}, "title": "Server-Side Request Forgery (SSRF) in Redash", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43780", "STATE": "PUBLIC", "TITLE": "Server-Side Request Forgery (SSRF) in Redash"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "redash", "version": {"version_data": [{"version_value": "<= 10.0.0"}]}}]}, "vendor_name": "getredash"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918: Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7", "refsource": "CONFIRM", "url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"}, {"name": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099", "refsource": "MISC", "url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"}]}, "source": {"advisory": "GHSA-fcpv-hgq6-87h7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:03:08.620Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43780", "datePublished": "2021-11-23T23:55:10", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:03:08.620Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redash:redash:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF2C7DBC-5166-4A5C-8691-ED5E0EE3B027", "versionEndExcluding": "10.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables."}, {"lang": "es", "value": "Redash es un paquete para visualizar y compartir datos. En las versiones 10.0 y anteriores, la implementaci\u00f3n de fuentes de datos de carga de URL como JSON, CSV o Excel es vulnerable a m\u00e9todos avanzados de falsificaci\u00f3n de peticiones del lado del servidor (SSRF). Estas vulnerabilidades s\u00f3lo pueden ser explotadas en instalaciones en las que est\u00e9 habilitada una fuente de datos de carga por URL. En el momento de la publicaci\u00f3n, las ramas \"master\" y \"release/10.x.x\" abordan esto aplicando la biblioteca Advocate para realizar peticiones http en lugar de la biblioteca requests directamente. Los usuarios deben actualizar a la versi\u00f3n 10.0.1 para recibir este parche. Se presentan algunas soluciones para mitigar la vulnerabilidad sin actualizar. Uno puede deshabilitar las fuentes de datos vulnerables por completo, a\u00f1adiendo la siguiente variable env a la configuraci\u00f3n, haciendo que no est\u00e9n disponibles dentro de la aplicaci\u00f3n web. Puede cambiarse cualquier fuente de datos de determinados tipos (visibles en el Aviso de Seguridad de GitHub) para que sea \"View Only\" para todos los grupos en la pantalla de Settings ) Groups ) Data Sources. Para usuarios que no pueden actualizar un administrador puede modificar la configuraci\u00f3n de Redash mediante variables de entorno para mitigar este problema. Dependiendo de la versi\u00f3n de Redash, un administrador tambi\u00e9n puede necesitar ejecutar un comando CLI para volver a cifrar algunos campos en la base de datos. Las ramas \"master\" y \"release/10.x.x\" en el momento de la publicaci\u00f3n han eliminado el valor por defecto de \"REDASH_COOKIE_SECRET\". Todas las versiones futuras tambi\u00e9n requerir\u00e1n que sea establecida expl\u00edcitamente. Para las instalaciones existentes, habr\u00e1 que asegurarse de que sean establecidos valores expl\u00edcitos para las variables \"REDASH_COOKIE_SECRET\" y \"REDASH_SECRET_KEY\""}], "id": "CVE-2021-43780", "lastModified": "2021-11-30T15:07:27.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-11-24T16:15:14.337", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object