From open-redirect to plugin-powered takeover
Based mostly on the PoC shared by OX Safety, the exploit leverages a intelligent combo of client-side path traversal and open-redirect mechanics in Grafana’s staticHandler, the part accountable for serving static information like HTML, CSS, JavaScript, and pictures from the server to the person’s browser.
A possible assault can have a crafted URL despatched to the sufferer, which takes them to a malicious area. As soon as there, customers are tricked into loading an unsigned, rogue Grafana plugin with out the attacker requiring any editor or admin rights.
As soon as the plugin hundreds, it runs attacker-controlled JavaScripts within the sufferer’s browser, probably resulting in session hijacks, credential theft, creation of admin logins, and modification of dashboards.
Moreover, a server-side request forgery (SSRF) escalation for full-read abuse is feasible. “This vulnerability doesn’t require editor permissions, and if nameless entry is enabled, the XSS will work. If the Grafana Picture Renderer plugin is put in, it’s doable to use the open redirect to realize a full learn SSRF,” the Grafana advisory added. Upgrading to fastened Grafana variations is beneficial to utterly mitigate the difficulty in opposition to N-day assaults.
