FLAT-PP7QT – Vulnerability | Fluid Attacks Database

Database

Description

Server Side Request Forgery in Grafana The avatar feature in Grafana (github.com/grafana/grafana/pkg/api/avatar) 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/grafana/grafana/pkg/api/avatar	>=3.0.1 <6.7.4 \|\| >=7.0.0 <7.0.2	6.7.4, 7.0.2
go	github.com/grafana/grafana	>=3.0.1 <6.7.4 \|\| >=7.0.0 <7.0.2	6.7.4, 7.0.2
rpm rhel8.1	grafana	<0:6.2.2-6.el8_1	0:6.2.2-6.el8_1
rpm rhel8	grafana	<0:6.3.6-2.el8_2	0:6.3.6-2.el8_2

Aliases

1. CVE-2020-133792. NVD-2020-133793. OSV-2020-133794. GHSA-wc9w-wvq2-ffm95. GCVE-2020-133796. RHYNORATER-CVE-2020-13379-Write-Up

References

1. https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c18473651922. https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/314083. https://community.grafana.com/t/release-notes-v6-7-x/271194. https://community.grafana.com/t/release-notes-v7-0-x/293815. https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/6. https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E7. https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E8. https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E9. https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E10. https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E11. https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E12. https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E13. https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E14. https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E15. https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E16. https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E17. https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E18. https://lists.fedoraproject.org/archives/list/[email protected]/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/19. https://lists.fedoraproject.org/archives/list/[email protected]/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/20. https://mostwanted002.cf/post/grafanados/21. https://security.netapp.com/advisory/ntap-20200608-0006/22. https://www.exploit-db.com/exploits/4863823. http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html24. http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html25. http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html26. http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html27. http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html28. http://www.openwall.com/lists/oss-security/2020/06/03/429. http://www.openwall.com/lists/oss-security/2020/06/09/230. https://vulncheck.com/cve/CVE-2020-1337931. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-13379.yaml32. https://security.netapp.com/advisory/ntap-20200608-000633. https://rhynorater.github.io/CVE-2020-13379-Write-Up34. https://mostwanted002.cf/post/grafanados35. https://lists.fedoraproject.org/archives/list/[email protected]/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ36. https://lists.fedoraproject.org/archives/list/[email protected]/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO37. https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.