{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8341", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2025-07-30T08:39:45.330Z", "datePublished": "2025-08-04T08:34:50.669Z", "dateUpdated": "2025-08-04T16:13:49.206Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "grafana-infinity-datasource", "vendor": "Grafana", "versions": [{"lessThan": "3.4.1", "status": "affected", "version": "0.6.0", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Plugin must be installed and host(s) need to configured to be disallowed.&nbsp;<br>"}], "value": "Plugin must be installed and host(s) need to configured to be disallowed."}], "credits": [{"lang": "en", "type": "finder", "value": "Elad Pticha"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><strong>Grafana</strong> is an open-source platform for monitoring and observability. The <strong>Infinity datasource plugin</strong>, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints.</p>\n<p>If the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in <strong>version 3.4.1.</strong></p>"}], "value": "Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints.\n\n\nIf the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1."}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-08-04T08:34:50.669Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://grafana.com/security/security-advisories/cve-2025-8341/"}, {"tags": ["patch"], "url": "https://github.com/grafana/grafana-infinity-datasource/releases/tag/v3.4.1"}], "source": {"discovery": "EXTERNAL"}, "title": "SSRF in Infinity Datasource Plugin", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-04T16:06:51.991213Z", "id": "CVE-2025-8341", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T16:13:49.206Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-04T16:06:51.991213Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T16:12:09.371Z"}}], "cna": {"title": "SSRF in Infinity Datasource Plugin", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Elad Pticha"}], "impacts": [{"capecId": "CAPEC-664", "descriptions": [{"lang": "en", "value": "CAPEC-664 Server Side Request Forgery"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Grafana", "product": "grafana-infinity-datasource", "versions": [{"status": "affected", "version": "0.6.0", "lessThan": "3.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2025-8341/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/grafana/grafana-infinity-datasource/releases/tag/v3.4.1", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints.\n\n\nIf the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1.", "supportingMedia": [{"type": "text/html", "value": "<p><strong>Grafana</strong> is an open-source platform for monitoring and observability. The <strong>Infinity datasource plugin</strong>, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints.</p>\n<p>If the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in <strong>version 3.4.1.</strong></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "configurations": [{"lang": "en", "value": "Plugin must be installed and host(s) need to configured to be disallowed.", "supportingMedia": [{"type": "text/html", "value": "Plugin must be installed and host(s) need to configured to be disallowed.&nbsp;<br>", "base64": false}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2025-08-04T08:34:50.669Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8341", "state": "PUBLISHED", "dateUpdated": "2025-08-04T16:13:49.206Z", "dateReserved": "2025-07-30T08:39:45.330Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2025-08-04T08:34:50.669Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints.\n\n\nIf the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1."}, {"lang": "es", "value": "Grafana es una plataforma de c\u00f3digo abierto para la monitorizaci\u00f3n y la observabilidad. El plugin de origen de datos Infinity, mantenido por Grafana Labs, permite visualizar datos desde endpoints JSON, CSV, XML, GraphQL y HTML. Si el plugin estuviera configurado para permitir solo ciertas URL, un atacante podr\u00eda eludir esta restricci\u00f3n utilizando una URL especialmente manipulado. Esta vulnerabilidad se ha corregido en la versi\u00f3n 3.4.1."}], "id": "CVE-2025-8341", "lastModified": "2025-08-04T15:06:15.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-04T09:15:26.103", "references": [{"source": "[email protected]", "url": "https://github.com/grafana/grafana-infinity-datasource/releases/tag/v3.4.1"}, {"source": "[email protected]", "url": "https://grafana.com/security/security-advisories/cve-2025-8341/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/grafana/grafana-infinity-datasource: Grafana Infinity datasource plugin URL Bypass Vulnerability", "id": "2386250", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2386250"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-8341", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "cryostat/cryostat-grafana-dashboard-rhel9", "product_name": "Cryostat 4"}], "public_date": "2025-08-04T08:34:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8341\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8341\nhttps://github.com/grafana/grafana-infinity-datasource/releases/tag/v3.4.1\nhttps://grafana.com/security/security-advisories/cve-2025-8341/"], "threat_severity": "Moderate"}