Grafana RCE via SMTP server parameter injection ($5,000 USD)

We discussed this vulnerability during Episode 173 on 05 December 2022

The username, from_name and password fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file. Using this it is possible to include configuration parameters that are not normally exposed. Using this one can set the rendering_args for the Grafana Image Rendering plugin which through the --renderer-cmd-prefix argument can result in command injection.