IMPORTANT Security Update: CVE-2020-12725 - Authenticated Server-Side Request Forgery (SSRF) in the JSON data source / internal addresses restriction bypass 🛡

If you’re not using the JSON or URL data sources or trust your users, you have little to worry about. Otherwise, you should keep reading.

If you have one of the following data source types enabled:

• URL
• JSON

Your users can use them to access private addresses in your network. For example, on AWS they can use one of these data source to access Instance Metadata which sometimes might leak credentials.

The URL data source allows access to any address by design and is deprecated since version 8. The JSON data source was supposed to filter private address URLs, but this can be bypassed with one of the options:

1. By using a redirect URL. This was addressed in #4924 which by default prevents redirects, but you can enable them if you trust your users.
2. DNS Rebinding. This is not addressed in the Open Source version at the moment, but there are some possible solutions like using a proxy to run these requests. For now, if you’re concerned about your users taking advantage of this you might want to limit who can use the JSON data source or disable it entirely.

Patches

Version 9 beta includes the fix for ability to use a redirect (#4924).

Workarounds

If you can’t upgrade at the moment and concerned about this vulnerability you have several options:

1. Limit Full Access to the JSON/URL data source only to a group of users you trust. The rest can still use this data source with existing queries, but won’t be able to query arbitrary URLs.
2. Remove the Data Source.
3. If you don’t trust your Redash admins with this, then you can disable it entirely by exposing an environment variable REDASH_DISABLED_QUERY_RUNNERS with the value redash.query_runner.url,redash.query_runner.json_ds.

References

This was originally reported by Havoc Research Team on #4869. We recommend reviewing their disclosure for more details.

Although they classified the CVE as Critical we don’t see it as such, considering the use cases and audience of Redash. But as they mentioned, the actual impact will depend on the environment the application is used in, typical to this vulnerability class.

For more information

If you have any questions or comments about this, you’re welcome to reply to this toppic.

If you have further disclosure related to this issue or any other security issue related to Redash, email us at security@redash.io.