CVE-2020-13379 — HIGH (8.2)

Q: How severe is CVE-2020-13379?

CVE-2020-13379 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-13379?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana, Fedoraproject Fedora, Netapp E-Series Performance Analyzer, Opensuse Leap, Opensuse Backports Sle.

Vulnerability Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Grafana	Grafana	>= 3.0.1, <= 7.0.1
Fedoraproject	Fedora	31
Netapp	E-Series Performance Analyzer	-
Opensuse	Leap	15.2
Opensuse	Backports Sle	15.0

Related Weaknesses (CWE)

CWE-918

References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.htmlMailing ListThird Party Advisory
http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.htmlExploitThird Party AdvisoryVDB Entry
http://www.openwall.com/lists/oss-security/2020/06/03/4Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/06/09/2Mailing ListThird Party Advisory
https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408Vendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119Release NotesVendor Advisory
https://community.grafana.com/t/release-notes-v7-0-x/29381Release NotesVendor Advisory
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-importVendor Advisory
https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f
https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652
https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48
https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84ca

FAQ

What is CVE-2020-13379?

CVE-2020-13379 is a vulnerability with a CVSS score of 8.2 (HIGH). The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL an...

How severe is CVE-2020-13379?

CVE-2020-13379 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-13379?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana, Fedoraproject Fedora, Netapp E-Series Performance Analyzer, Opensuse Leap, Opensuse Backports Sle.