Attacker Value
Very High
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2020-13379

Disclosure Date: June 03, 2020
CVE-2020-13379 CVSS v3 Base Score: 8.2
Exploited in the Wild
Reported by ericalexanderorg
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS’ing Grafana via SegFault.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Common in enterpriseUnauthenticatedVulnerable in default configuration
Technical Analysis

This bug affects not only Grafana instances, but also Gitlab instances (under the /-/grafana path) and SourceTree instances (under the /-/debug/grafana/ path).

This also affects GitLab, which presumably bundles Grafana. GitLab versions prior to 13.1.1 are affected. This increases the attack surface beyond just Grafana.

While I consider this a “primitive” in an exploit chain, it will certainly be useful to bug bounty hunters and the like. Seems people on Twitter may have gotten it to work already.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.2 High
Impact Score:
4.2
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Exploited in the Wild

Reported by:

References

Canonical
CVE-2020-13379 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13379)
Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html
[oss-security] 20200609 Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 (http://www.openwall.com/lists/oss-security/2020/06/09/2)
https://security.netapp.com/advisory/ntap-20200608-0006
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html
FEDORA-2020-a09e5be0be (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO)
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix
http://www.openwall.com/lists/oss-security/2020/06/03/4
FEDORA-2020-e6e81a03d6 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ)
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
https://security.netapp.com/advisory/ntap-20200608-0006/
FEDORA-2020-e6e81a03d6 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/)
FEDORA-2020-a09e5be0be (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/)
[ambari-issues] 20200903 [jira] [Assigned] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13@%3Cissues.ambari.apache.org%3E)
[ambari-issues] 20200903 [jira] [Created] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd@%3Cissues.ambari.apache.org%3E)
openSUSE-SU-2020:1611 (http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html)
openSUSE-SU-2020:1646 (http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html)
[ambari-issues] 20210121 [jira] [Updated] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60@%3Cissues.ambari.apache.org%3E)
[ambari-dev] 20210121 [GitHub] [ambari] payert opened a new pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933@%3Cdev.ambari.apache.org%3E)
[ambari-dev] 20210121 [GitHub] [ambari] payert commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90@%3Cdev.ambari.apache.org%3E)
[ambari-dev] 20210121 [GitHub] [ambari] dvitiiuk commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2@%3Cdev.ambari.apache.org%3E)
[ambari-dev] 20210122 [GitHub] [ambari] payert commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31@%3Cdev.ambari.apache.org%3E)
[ambari-dev] 20210122 [GitHub] [ambari] payert opened a new pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d@%3Cdev.ambari.apache.org%3E)
[ambari-dev] 20210122 [GitHub] [ambari] dvitiiuk commented on a change in pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4@%3Cdev.ambari.apache.org%3E)
[ambari-commits] 20210125 [ambari] branch branch-2.7 updated: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (#3279) (https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820@%3Ccommits.ambari.apache.org%3E)
[ambari-dev] 20210125 [GitHub] [ambari] payert merged pull request #3279: AMBARI-25547 Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2@%3Cdev.ambari.apache.org%3E)
[ambari-issues] 20210127 [jira] [Resolved] (AMBARI-25547) Update Grafana version to 6.7.4 to avoid CVE-2020-13379 (https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da@%3Cissues.ambari.apache.org%3E)
Miscellaneous
http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html
https://rhynorater.github.io/CVE-2020-13379-Write-Up
https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408
https://community.grafana.com/t/release-notes-v6-7-x/27119
https://community.grafana.com/t/release-notes-v7-0-x/29381
https://mostwanted002.cf/post/grafanados
https://mostwanted002.cf/post/grafanados/

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis