Ubuntu.comUB:CVE-2020-13379CVE-2020-13379
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS
Percentile
98.1%
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect
Access Control issue. This vulnerability allows any unauthenticated
user/client to make Grafana send HTTP requests to any URL and return its
result to the user/client. This can be used to gain information about the
network that Grafana is running on. Furthermore, passing invalid URL
objects could be used for DOS’ing Grafana via SegFault.
References
www.openwall.com/lists/oss-security/2020/06/03/4
community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408
community.grafana.com/t/release-notes-v6-7-x/27119
community.grafana.com/t/release-notes-v7-0-x/29381
grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
launchpad.net/bugs/cve/CVE-2020-13379
nvd.nist.gov/vuln/detail/CVE-2020-13379
security-tracker.debian.org/tracker/CVE-2020-13379
www.cve.org/CVERecord?id=CVE-2020-13379
www.openwall.com/lists/oss-security/2020/06/03/4
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
EPSS
Percentile
98.1%