CVE-2020-13379

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-13379

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13379.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-13379

Aliases

Published

2020-06-03T19:15:10Z

Modified

2024-06-06T12:59:35.928651Z

Severity

CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Summary

[none]

Details

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type: GIT
Repo: https://github.com/grafana/grafana
Events: Introduced

bbd52c0b713a5220ae0e27f8471aa9877a7e6589

Last affected

ef5b586d7d9e561b78c8aaa098c4e9f1e3a78d62

Affected versions

7.*

7.0.0

v3.*

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v3.1.0-beta1

v3.1.1

v4.*

v4.0.0

v4.0.0-beta1

v4.0.0-beta2

v4.0.1

v4.0.2

v4.1.0-beta1

v4.2.0-beta1

v4.3.0

v4.3.0-beta1

v4.3.1

v4.3.2

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.5.0

v4.5.0-beta1

v4.5.1

v4.6.0-beta1

v5.*

v5.,2.4

v5.0.0

v5.0.0-beta1

v5.0.0-beta2

v5.0.0-beta3

v5.0.0-beta4

v5.0.0-beta5

v6.*

v6.0.0-beta1

v6.5

v7.*

v7.0.0

v7.0.0-beta3

v7.0.1