CVE-2020-13379

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html Mailing List Third Party Advisory
http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html Exploit Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2020/06/03/4 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/06/09/2 Mailing List Third Party Advisory
https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408 Vendor Advisory
https://community.grafana.com/t/release-notes-v6-7-x/27119 Release Notes Vendor Advisory
https://community.grafana.com/t/release-notes-v7-0-x/29381 Release Notes Vendor Advisory
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ Vendor Advisory
https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E Mailing List Patch Third Party Advisory
https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/ Third Party Advisory
https://mostwanted002.cf/post/grafanados/ Exploit Third Party Advisory
https://rhynorater.github.io/CVE-2020-13379-Write-Up Exploit Third Party Advisory
https://security.netapp.com/advisory/ntap-20200608-0006/ Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

History

29 Jan 2021, 16:41

Type Values Removed Values Added
CPE cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
References (MLIST) https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MISC) https://mostwanted002.cf/post/grafanados/ - (MISC) https://mostwanted002.cf/post/grafanados/ - Exploit, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MISC) https://rhynorater.github.io/CVE-2020-13379-Write-Up - (MISC) https://rhynorater.github.io/CVE-2020-13379-Write-Up - Exploit, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E - Mailing List, Patch, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html - Mailing List, Third Party Advisory
References (MLIST) https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E - (MLIST) https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E - Mailing List, Third Party Advisory
References (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html - (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html - (MISC) http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html - Exploit, Third Party Advisory, VDB Entry

27 Jan 2021, 11:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E -

26 Jan 2021, 18:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E -
  • (MLIST) https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E -

Information

Published : 2020-06-03 19:15

Updated : 2021-01-29 16:41


NVD link : CVE-2020-13379

Mitre link : CVE-2020-13379


JSON object : View

Products Affected

grafana

  • grafana

fedoraproject

  • fedora

netapp

  • e-series_performance_analyzer

opensuse

  • backports_sle
  • leap
CWE
CWE-918

Server-Side Request Forgery (SSRF)