cvedb.io
CVE-2021-43780
MEDIUM · CVSS 6.8
EPSS exploitation probability: 0%
Published 2021-11-24T16:15:14.337 · Last modified 2026-06-17T04:11:25.457

Summary

Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable ins

Affected products

redash — redash

Does this affect you?

Add your gear to cvedb and we'll alert you only when redash ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.