Original Post: Grafana RCE via SMTP server parameter injection
This vulnerability was analyzed during Episode 173 on 05 December 2022
The username, from_name and password fields of the SMTP server configuration accept new-line characters that will be printed directly into the resulting configuration file. Using this it is possible to include configuration parameters that are not normally exposed. Using this one can set the rendering_args for the Grafana Image Rendering plugin which through the --renderer-cmd-prefix argument can result in command injection.