If you have one of the following data source types enabled:
Your users can use them to access private addresses in your network. For example, on AWS they can use one of these data source to access Instance Metadata which sometimes might leak credentials.
The URL data source allows access to any address by design and is deprecated since version 8. The JSON data source was supposed to filter private address URLs, but this can be bypassed with one of the options:
- By using a redirect URL. This was addressed in #4924 which by default prevents redirects, but you can enable them if you trust your users.
- DNS Rebinding. This is not addressed in the Open Source version at the moment, but there are some possible solutions like using a proxy to run these requests. For now, if you're concerned about your users taking advantage of this you might want to limit who can use the JSON data source or disable it entirely.
Patches
Version 9 beta includes the fix for ability to use a redirect (#4924).
Workarounds
If you can't upgrade at the moment and are concerned about this vulnerability you have several options:
- Limit Full Access to the JSON/URL data source only to a group of users you trust. The rest can still use this data source with existing queries, but won't be able to query arbitrary URLs.
- Remove the Data Source.
- If you don't trust your Redash admins with this, then you can disable it entirely by exposing an environment variable
REDASH_DISABLED_QUERY_RUNNERS with the value redash.query_runner.url,redash.query_runner.json_ds.
References
This was originally reported by Havoc Research Team on #4869. We recommend reviewing their disclosure for more details.
Although they classified the CVE as Critical we don't see it as such, considering the use cases and audience of Redash. But as they mentioned, the actual impact will depend on the environment the application is used in, typical to this vulnerability class.
For more information
If you have any questions or comments about this advisory, you're welcome to ask on our forum.
If you have further disclosure related to this issue or any other security issue related to Redash, email us at security@redash.io.
0xBADCA7 Analyst
If you have one of the following data source types enabled:
Your users can use them to access private addresses in your network. For example, on AWS they can use one of these data source to access Instance Metadata which sometimes might leak credentials.
The URL data source allows access to any address by design and is deprecated since version 8. The JSON data source was supposed to filter private address URLs, but this can be bypassed with one of the options:
Patches
Version 9 beta includes the fix for ability to use a redirect (#4924).
Workarounds
If you can't upgrade at the moment and are concerned about this vulnerability you have several options:
REDASH_DISABLED_QUERY_RUNNERSwith the valueredash.query_runner.url,redash.query_runner.json_ds.References
This was originally reported by Havoc Research Team on #4869. We recommend reviewing their disclosure for more details.
Although they classified the CVE as Critical we don't see it as such, considering the use cases and audience of Redash. But as they mentioned, the actual impact will depend on the environment the application is used in, typical to this vulnerability class.
For more information
If you have any questions or comments about this advisory, you're welcome to ask on our forum.
If you have further disclosure related to this issue or any other security issue related to Redash, email us at security@redash.io.