Lucene search

GoogleOSV:CVE-2020-13379

HistoryJun 03, 2020 - 7:15 p.m.

CVE-2020-13379

2020-06-0319:15:10

Google

osv.dev

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

7.2 High

AI Score

Confidence

High

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.728 High

EPSS

Percentile

98.0%

JSON

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS’ing Grafana via SegFault.

CPENameOperatorVersion
grafanaeq6.5
grafanaeq4.4.2
grafanaeq4.4.1
grafanaeq5.0.0-beta1
grafanaeq4.5.0
grafanaeq4.4.3
grafanaeq5.0.0-beta5
grafanaeq6.0.0-beta1
grafanaeq4.0.0
grafanaeq7.0.0

Name	Operator	Version
grafana	eq	6.5
grafana	eq	4.4.2
grafana	eq	4.4.1
grafana	eq	5.0.0-beta1
grafana	eq	4.5.0
grafana	eq	4.4.3
grafana	eq	5.0.0-beta5
grafana	eq	6.0.0-beta1
grafana	eq	4.0.0
grafana	eq	7.0.0

Rows per page:

1-10 of 381

References

lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html

lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html

lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html

lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html

packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html

www.openwall.com/lists/oss-security/2020/06/03/4

www.openwall.com/lists/oss-security/2020/06/09/2

community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408

community.grafana.com/t/release-notes-v6-7-x/27119

community.grafana.com/t/release-notes-v7-0-x/29381

grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4%40%3Cdev.ambari.apache.org%3E

lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933%40%3Cdev.ambari.apache.org%3E

lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60%40%3Cissues.ambari.apache.org%3E

lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2%40%3Cdev.ambari.apache.org%3E

lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd%40%3Cissues.ambari.apache.org%3E

lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da%40%3Cissues.ambari.apache.org%3E

lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d%40%3Cdev.ambari.apache.org%3E

lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90%40%3Cdev.ambari.apache.org%3E

lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820%40%3Ccommits.ambari.apache.org%3E

lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13%40%3Cissues.ambari.apache.org%3E

lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31%40%3Cdev.ambari.apache.org%3E

lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2%40%3Cdev.ambari.apache.org%3E

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/

mostwanted002.cf/post/grafanados/

rhynorater.github.io/CVE-2020-13379-Write-Up

security.netapp.com/advisory/ntap-20200608-0006/

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

7.2 High

AI Score

Confidence

High

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.728 High

EPSS

Percentile

98.0%

JSON

Related for OSV:CVE-2020-13379