Skip to content

Authenticated Server-Side Request Forgery (SSRF) in the JSON data source / internal addresses restriction bypass

Low
arikfr published GHSA-4599-9qr8-ccj6 Jun 15, 2020

Package

No package listed

Affected versions

>=v8.0.0-beta

Patched versions

v9.0.0-beta

Description

If you have one of the following data source types enabled:

  • URL
  • JSON

Your users can use them to access private addresses in your network. For example, on AWS they can use one of these data source to access Instance Metadata which sometimes might leak credentials.

The URL data source allows access to any address by design and is deprecated since version 8. The JSON data source was supposed to filter private address URLs, but this can be bypassed with one of the options:

  1. By using a redirect URL. This was addressed in #4924 which by default prevents redirects, but you can enable them if you trust your users.
  2. DNS Rebinding. This is not addressed in the Open Source version at the moment, but there are some possible solutions like using a proxy to run these requests. For now, if you're concerned about your users taking advantage of this you might want to limit who can use the JSON data source or disable it entirely.

Patches

Version 9 beta includes the fix for ability to use a redirect (#4924).

Workarounds

If you can't upgrade at the moment and are concerned about this vulnerability you have several options:

  1. Limit Full Access to the JSON/URL data source only to a group of users you trust. The rest can still use this data source with existing queries, but won't be able to query arbitrary URLs.
  2. Remove the Data Source.
  3. If you don't trust your Redash admins with this, then you can disable it entirely by exposing an environment variable REDASH_DISABLED_QUERY_RUNNERS with the value redash.query_runner.url,redash.query_runner.json_ds.

References

This was originally reported by Havoc Research Team on #4869. We recommend reviewing their disclosure for more details.

Although they classified the CVE as Critical we don't see it as such, considering the use cases and audience of Redash. But as they mentioned, the actual impact will depend on the environment the application is used in, typical to this vulnerability class.

For more information

If you have any questions or comments about this advisory, you're welcome to ask on our forum.

If you have further disclosure related to this issue or any other security issue related to Redash, email us at [email protected].

Severity

Low

CVE ID

CVE-2020-12725

Weaknesses

No CWEs

Credits