PT-2020-5961 · Grafana+4 · Grafana+4

Published

2020-06-03

·

Updated

2024-11-27

·

CVE-2020-13379

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Name of the Vulnerable Software and Affected Versions Grafana versions 3.0.1 through 7.0.1
Description The avatar feature in Grafana has an SSRF Incorrect Access Control issue, allowing any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. The vulnerability may also allow remote code execution.
Recommendations For Grafana versions 3.0.1 through 7.0.1, consider disabling the avatar feature until a patch is available to prevent exploitation of the SSRF vulnerability. Restrict access to the avatar feature to minimize the risk of unauthorized access to internal information. Avoid using the avatar feature to fetch internal files or make unauthorized HTTP requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

SSRF

Weakness Enumeration

CWE-918

Related Identifiers

ALT-PU-2020-2096
ALT-PU-2020-2323
BDU:2021-02136
BIT-GRAFANA-2020-13379
CESA-2020_2641
CVE-2020-13379
ELSA-2020-2641
ELSA-2020-5726
GHSA-WC9W-WVQ2-FFM9
OPENSUSE-SU-2020:0892-1
OPENSUSE-SU-2020:1105-1
OPENSUSE-SU-2020:1611-1
OPENSUSE-SU-2020:1646-1
OPENSUSE-SU-2020_0892-1
OPENSUSE-SU-2020_1105-1
OPENSUSE-SU-2024:10818-1
RHSA-2020:2641
RHSA-2020:2676
RHSA-2020:2796
RHSA-2020:2861
RHSA-2020:5599
RHSA-2020_2641
RHSA-2021:1518
SUSE-RU-2020:2072-1
SUSE-RU-2020:2161-1
SUSE-SU-2020:1715-1
SUSE-SU-2020:1718-1
SUSE-SU-2020:1901-1
SUSE-SU-2020:1970-1
SUSE-SU-2020:1972-1
SUSE-SU-2020:2911-1
SUSE-SU-2021:1233-1
SUSE-SU-2021:1962-1

Affected Products

Alt Linux
Centos
Grafana
Red Hat
Suse