Redash - Vulnerabilities in CheckMarx Scan

Hi Arik,
We scanned Redash(v5.0.2) code with CheckMarx scan and it is showing some Vulnerabilities.
Below are the list of Vulnerability Type (High and Medium):
1.Command Injection
2.Security Misconfiguration
3.Filtering Sensitive Logs
4.Open Redirect
5.Cross Site History Manipulation
6.Trust Boundary Violation
7.Hardcoded Password in Connection String
8.Header Injection
9.Privacy Violation
10.Insecure Randomness
11.Path Traversal

Please let us know if there any plans to address these Vulnerabilities in Redash upcoming release.


First, you might want to read about “Responsible Disclosure”. A public forum is not the place to discuss potential security vulnerabilities. You might want to refer to the project security policy.

Redash 5.0.2 was released about 9 months ago and since then we had 2 major releases and going to have another major release soon. In those releases there were security improvements as well, so I’m not sure how much the check you did is relevant. Also, some of the things you listed are dependent on deployment/configuration and not something to do with Redash itself.

You’re welcome to do the same scan on the latest version of the code, and send an email to the address mentioned in the policy for further discussion.