Home

CVE-2020-13379

Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOSing Grafana via SegFault.

Risk Information

Base Score
8.2
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS Score
Exploitation Probability
92.845

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-13379 are affected in GrafanaEnterprise 7.0.1Windows
(RHSA-2020:2641) grafana security update grafana-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-azure-monitor-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-cloudwatch-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-elasticsearch-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-graphite-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-influxdb-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-loki-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-mssql-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-mysql-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-opentsdb-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-postgres-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-prometheus-6.3.6-2.el8_2.x86_64.rpmLinux
(RHSA-2020:2641) grafana security update grafana-stackdriver-6.3.6-2.el8_2.x86_64.rpmLinux
SUSE-SU-2020:1970-1(SUSE Linux Enterprise Server 12-SP5 ) golang-github-prometheus-node_exporter-0.18.1-1.6.2.x86_64.rpmLinux
Grafana update (ELSA-2020-2641) grafana-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-azure-monitor update (ELSA-2020-2641) grafana-azure-monitor-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-cloudwatch update (ELSA-2020-2641) grafana-cloudwatch-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-elasticsearch update (ELSA-2020-2641) grafana-elasticsearch-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-graphite update (ELSA-2020-2641) grafana-graphite-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-influxdb update (ELSA-2020-2641) grafana-influxdb-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-loki update (ELSA-2020-2641) grafana-loki-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-mssql update (ELSA-2020-2641) grafana-mssql-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-mysql update (ELSA-2020-2641) grafana-mysql-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-opentsdb update (ELSA-2020-2641) grafana-opentsdb-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-postgres update (ELSA-2020-2641) grafana-postgres-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-prometheus update (ELSA-2020-2641) grafana-prometheus-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana-stackdriver update (ELSA-2020-2641) grafana-stackdriver-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-azure-monitor-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-cloudwatch-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-elasticsearch-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-graphite-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-influxdb-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-loki-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-mssql-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-mysql-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-opentsdb-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-postgres-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-prometheus-6.3.6-2.el8_2.x86_64.rpmLinux
(CESA-2020:2641) grafana security update grafana-stackdriver-6.3.6-2.el8_2.x86_64.rpmLinux
Grafana update (ELSA-2023-6972) grafana-9.2.10-7.el8_9.x86_64.rpmLinux
Grafana update (ELSA-2020-4682) grafana-6.7.4-3.el8.x86_64.rpmLinux
Grafana-azure-monitor update (ELSA-2020-4682) grafana-azure-monitor-6.7.4-3.el8.x86_64.rpmLinux
Grafana-cloudwatch update (ELSA-2020-4682) grafana-cloudwatch-6.7.4-3.el8.x86_64.rpmLinux
Grafana-elasticsearch update (ELSA-2020-4682) grafana-elasticsearch-6.7.4-3.el8.x86_64.rpmLinux
Grafana-graphite update (ELSA-2020-4682) grafana-graphite-6.7.4-3.el8.x86_64.rpmLinux
Grafana-influxdb update (ELSA-2020-4682) grafana-influxdb-6.7.4-3.el8.x86_64.rpmLinux
Grafana-loki update (ELSA-2020-4682) grafana-loki-6.7.4-3.el8.x86_64.rpmLinux
Grafana-mssql update (ELSA-2020-4682) grafana-mssql-6.7.4-3.el8.x86_64.rpmLinux
Grafana-mysql update (ELSA-2020-4682) grafana-mysql-6.7.4-3.el8.x86_64.rpmLinux
Grafana-opentsdb update (ELSA-2020-4682) grafana-opentsdb-6.7.4-3.el8.x86_64.rpmLinux
Grafana-postgres update (ELSA-2020-4682) grafana-postgres-6.7.4-3.el8.x86_64.rpmLinux
Grafana-prometheus update (ELSA-2020-4682) grafana-prometheus-6.7.4-3.el8.x86_64.rpmLinux
Grafana-stackdriver update (ELSA-2020-4682) grafana-stackdriver-6.7.4-3.el8.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-335779GrafanaEnterprise (10.3.1)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234