CVE-2020-13379: SSRF
First published: Wed Jun 03 2020(Updated: )
An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return its result to the user or client. Additionally, the same issue can create a NULL pointer dereference vulnerability. This flaw allows an attacker to gain information about the network that Grafana is running on, or cause a segmentation fault, resulting in a denial of service.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| go/github.com/grafana/grafana | >=7.0.0<7.0.2 | 7.0.2 |
| go/github.com/grafana/grafana | >=3.0.1<6.7.4 | 6.7.4 |
| redhat/grafana | <7.0.2 | 7.0.2 |
| redhat/grafana | <6.7.4 | 6.7.4 |
| redhat/servicemesh-grafana | <0:6.2.2-38.el8 | 0:6.2.2-38.el8 |
| redhat/servicemesh-grafana | <0:6.4.3-11.el8 | 0:6.4.3-11.el8 |
| redhat/ceph | <2:12.2.12-139.el7c | 2:12.2.12-139.el7c |
| redhat/ceph-ansible | <0:3.2.56-1.el7c | 0:3.2.56-1.el7c |
| redhat/cephmetrics | <0:2.0.10-1.el7c | 0:2.0.10-1.el7c |
| redhat/grafana | <0:5.2.4-3.el7c | 0:5.2.4-3.el7c |
| redhat/tcmu-runner | <0:1.4.0-3.el7c | 0:1.4.0-3.el7c |
| redhat/grafana | <0:6.3.6-2.el8_2 | 0:6.3.6-2.el8_2 |
| redhat/grafana | <0:6.2.2-6.el8_1 | 0:6.2.2-6.el8_1 |
| redhat/grafana | <0:5.2.4-3.el7 | 0:5.2.4-3.el7 |
| Grafana Grafana | >=3.0.1<=7.0.1 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Netapp E-series Performance Analyzer | ||
| openSUSE Leap | =15.2 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Backports SLE | =15.0-sp2 |
Remedy
This issue can be mitigated by blocking access to the URL path /avatar/*, through a method such as a reverse proxy, load balancer, application firewall etc.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-13379
- https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192
- https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408
- https://community.grafana.com/t/release-notes-v6-7-x/27119
- https://community.grafana.com/t/release-notes-v7-0-x/29381
- https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
- https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E
- https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/
- https://mostwanted002.cf/post/grafanados/
- https://rhynorater.github.io/CVE-2020-13379-Write-Up
- https://security.netapp.com/advisory/ntap-20200608-0006/
- https://www.exploit-db.com/exploits/48638
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html
- http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html
- http://www.openwall.com/lists/oss-security/2020/06/03/4
- http://www.openwall.com/lists/oss-security/2020/06/09/2
- https://github.com/advisories/GHSA-wc9w-wvq2-ffm9 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-13379 https://nvd.nist.gov/vuln/detail/CVE-2020-13379 https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ https://www.openwall.com/lists/oss-security/2020/06/09/2/
- https://bugzilla.redhat.com/show_bug.cgi?id=1843640
- https://access.redhat.com/errata/RHSA-2020:2861
- https://access.redhat.com/errata/RHSA-2020:2796
- https://access.redhat.com/errata/RHSA-2021:1518
- https://access.redhat.com/errata/RHSA-2021:0083
- https://access.redhat.com/errata/RHSA-2020:2641
- https://access.redhat.com/errata/RHSA-2020:2676
- https://access.redhat.com/errata/RHSA-2020:5599
- https://access.redhat.com/errata/RHSA-2020:2792
- https://access.redhat.com/security/cve/cve-2020-13379
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1843642
- https://www.openwall.com/lists/oss-security/2020/06/09/2/
- https://github.com/grafana/grafana/commit/7a9c0e31eca4958f5fba053cfea9e64a2ea58509
- https://access.redhat.com/support/policy/updates/ceph-storage
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/
- https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13%40%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd%40%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60%40%3Cissues.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820%40%3Ccommits.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2%40%3Cdev.ambari.apache.org%3E
- https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da%40%3Cissues.ambari.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-13379?
CVE-2020-13379 is an SSRF incorrect access control vulnerability in Grafana.
Who is affected by CVE-2020-13379?
Any unauthenticated user or client using Grafana versions 3.0.1 through 7.0.1 is affected by CVE-2020-13379.
What is the severity of CVE-2020-13379?
CVE-2020-13379 has a severity rating of 8.2 (high).
How can I fix CVE-2020-13379?
To fix CVE-2020-13379, upgrade to Grafana version 6.7.4 or 7.0.2 which include the necessary security fix.
Where can I find more information about CVE-2020-13379?
You can find more information about CVE-2020-13379 on the CVE website, NIST's vulnerability database, Grafana's blog, and Red Hat's Bugzilla and errata pages using the provided references.
- collector/github-advisory-latest
- alias/GHSA-wc9w-wvq2-ffm9
- alias/CVE-2020-13379
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/go
- package-manager/redhat
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/3.0.1
- version/grafana grafana/7.0.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/netapp
- canonical/netapp e-series performance analyzer
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.2
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp1
- version/opensuse backports sle/15.0-sp2