QwikSec

Security Database

CVE

CWE

Training

CVE-2020-13379

Published: Jun 3, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://community.grafana.com/t/release-notes-v6-7-x/27119

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2020/06/03/4

x_refsource_CONFIRM

https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408

x_refsource_MISC

https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

x_refsource_CONFIRM

https://community.grafana.com/t/release-notes-v7-0-x/29381

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20200608-0006/

x_refsource_CONFIRM

[oss-security] 20200609 Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379

mailing-list

x_refsource_MLIST

FEDORA-2020-e6e81a03d6

vendor-advisory

x_refsource_FEDORA

FEDORA-2020-a09e5be0be

vendor-advisory

x_refsource_FEDORA

openSUSE-SU-2020:0892

vendor-advisory

x_refsource_SUSE

https://mostwanted002.cf/post/grafanados/

x_refsource_MISC

http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html

x_refsource_MISC

openSUSE-SU-2020:1105

vendor-advisory

x_refsource_SUSE

https://rhynorater.github.io/CVE-2020-13379-Write-Up

x_refsource_MISC

[ambari-issues] 20200903 [jira] [Assigned] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-issues] 20200903 [jira] [Created] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

openSUSE-SU-2020:1611

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2020:1646

vendor-advisory

x_refsource_SUSE

[ambari-issues] 20210121 [jira] [Updated] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-dev] 20210121 [GitHub] [ambari] payert opened a new pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-dev] 20210121 [GitHub] [ambari] payert commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-dev] 20210121 [GitHub] [ambari] dvitiiuk commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-dev] 20210122 [GitHub] [ambari] payert commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-dev] 20210122 [GitHub] [ambari] payert opened a new pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-dev] 20210122 [GitHub] [ambari] dvitiiuk commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-commits] 20210125 [ambari] branch branch-2.7 updated: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (#3279)

mailing-list

x_refsource_MLIST

[ambari-dev] 20210125 [GitHub] [ambari] payert merged pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

[ambari-issues] 20210127 [jira] [Resolved] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.