CVE-2023-5122: 
Grafana vulnerability analysis and mitigation

The CSV datasource plugin for Grafana, a widely-used open-source monitoring and observability platform, was found to contain a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2023-5122. The vulnerability was publicly disclosed on February 14, 2024. The issue affects CSV datasource plugin versions prior to 0.6.13, specifically when the plugin is configured to send requests to a bare host with no path (e.g., https://www.example.com/) (Grafana Advisory).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue (CWE-918) with a CVSS v3.1 base score of 5.0 (MEDIUM), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. The vulnerability allows authenticated users to trigger requests to endpoints other than those configured by the administrator through specially crafted requests (NVD).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information. The vulnerability allows attackers to make web requests to arbitrary locations originating from the web application, potentially accessing and modifying information from internal services (NetApp Advisory).

The vulnerability has been patched in CSV datasource plugin version 0.6.13. Organizations using affected versions should upgrade to the latest version to mitigate the risk (Grafana Advisory).