CVE-2021-43780

Name of the Vulnerable Software and Affected Versions: Redash versions 10.0 and prior

Description: Redash is a package for data visualization and sharing. The implementation of URL-loading data sources like JSON, CSV, or Excel in versions 10.0 and prior is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. The master and release/10.x.x branches address this by applying the Advocate library for making http requests instead of the requests library directly.

Recommendations: To resolve the issue, users should upgrade to version 10.0.1 to receive the patch. As a temporary workaround, one can disable the vulnerable data sources entirely by adding an environment variable to the configuration. One can also switch any data source of certain types to be View Only for all groups on the Settings > Groups > Data Sources screen. For users unable to update, an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. For existing installations, one will need to ensure that explicit values are set for the REDASH COOKIE SECRET and REDASH SECRET KEY variables.