Vulnerability Details : CVE-2020-13379
Potential exploit
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
Vulnerability category: Server-side request forgery (SSRF) Denial of service
Products affected by CVE-2020-13379
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
- cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13379
92.68%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13379
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST | |
|
8.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
3.9
|
4.2
|
NIST |
CWE ids for CVE-2020-13379
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13379
-
https://community.grafana.com/t/release-notes-v7-0-x/29381
Release Notes v7.0.x - Releases - Grafana CommunityRelease Notes;Vendor Advisory
-
https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E
[jira] [Resolved] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/
[SECURITY] Fedora 32 Update: grafana-6.7.4-1.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] payert opened a new pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] payert opened a new pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E
[jira] [Updated] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408
Grafana 7.0.2 and 6.7.4 Security Update - Security Announcements - Grafana CommunityVendor Advisory
-
https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E
[ambari] branch branch-2.7 updated: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (#3279) - Pony MailMailing List;Patch;Third Party Advisory
-
https://community.grafana.com/t/release-notes-v6-7-x/27119
Release Notes v6.7.x - Releases - Grafana CommunityRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/
[SECURITY] Fedora 31 Update: grafana-6.7.4-1.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20200608-0006/
CVE-2020-13379 Grafana Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/06/09/2
oss-security - Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html
Grafana 7.0.1 Denial Of Service ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] payert commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html
[security-announce] openSUSE-SU-2020:0892-1: moderate: Security update fMailing List;Third Party Advisory
-
https://rhynorater.github.io/CVE-2020-13379-Write-Up
CVE-2020-13379Exploit;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html
[security-announce] openSUSE-SU-2020:1611-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html
[security-announce] openSUSE-SU-2020:1105-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] payert merged pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] dvitiiuk commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/06/03/4
oss-security - Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] dvitiiuk commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E
[GitHub] [ambari] payert commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html
[security-announce] openSUSE-SU-2020:1646-1: moderate: Security update fMailing List;Third Party Advisory
-
https://mostwanted002.cf/post/grafanados/
Unauthenticated DoS on Grafana 3.0.1 - 7.0.1 | Mayank MalikExploit;Third Party Advisory
-
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
Grafana 6.7.4 and 7.0.2 released with important security fix | Grafana LabsVendor Advisory
-
https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E
[jira] [Created] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 - Pony MailMailing List;Third Party Advisory
Jump to