Xlson

**Name of the Vulnerable Software and Affected Versions** Grafana Enterprise versions 7.4.0-beta1 through 7.5.15 Grafana Enterprise versions 8.0.0 through 8.5.2 **Description** The issue is related to the Request security feature in Grafana Enterprise, which allows configuring the instance to only call specific hosts. However, a malicious datasource running on an allowed host can bypass these security configurations by returning an HTTP redirect to a forbidden host. This can potentially give secure information to clients. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource that returns HTTP redirects. **Recommendations** For Grafana Enterprise versions 7.4.0-beta1 through 7.5.15, update to version 7.5.16 or later. For Grafana Enterprise versions 8.0.0 through 8.5.2, update to version 8.5.3 or later. As a temporary workaround, consider restricting the addition of custom datasources to minimize the risk of exploitation. Avoid using the Request security allow list feature until the issue is resolved.