CVE-2024-5526

Grafana OnCall is an easy-to-use on-call management tool that will help reduce toil in on-call management through simpler workflows and interfaces that are tailored specifically for engineers.

Grafana OnCall, from version 1.1.37 before 1.5.2 are vulnerable to a Server Side Request Forgery (SSRF) vulnerability in the webhook functionallity. 

This issue was fixed in version 1.5.2
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
GRAFANACNA
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
grafanaoncall
1.5.2 <
𝑥
< 1.5.2
grafanaoncall
1.1.37 ≤
𝑥
< 1.5.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://grafana.com/security/security-advisories/cve-2024-5526/
https://grafana.com/security/security-advisories/cve-2024-5526/