Vulnerability CVE-2020-13379
Published: 2020-06-03

Description:
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Grafana 7.0.1 Denial Of Service
mostwanted002
07.07.2020

Type:

CWE-918

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Grafana -> Grafana 

 References:
http://www.openwall.com/lists/oss-security/2020/06/03/4
http://www.openwall.com/lists/oss-security/2020/06/09/2
https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408
https://community.grafana.com/t/release-notes-v6-7-x/27119
https://community.grafana.com/t/release-notes-v7-0-x/29381
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
https://security.netapp.com/advisory/ntap-20200608-0006/
Copyright 2024, cxsecurity.com

 

Back to Top