Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.4
CVSSv2

CVE-2020-13379

Published: 03/06/2020 Updated: 07/11/2023
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 8.2 | Impact Score: 4.2 | Exploitability Score: 3.9
VMScore: 572
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P
Subscribe to Grafana

Vulnerability Summary

The avatar feature in Grafana 3.0.1 up to and including 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

grafana grafana

fedoraproject fedora 31

fedoraproject fedora 32

netapp e-series performance analyzer -

opensuse leap 15.2

opensuse backports sle 15.0

Vendor Advisories

Red Hat: Important: grafana security update
Synopsis Important: grafana security update Type/Severity Security Advisory: Important Topic An update for grafana is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Red Hat: Important: web-admin-build security and bug fix update
Synopsis Important: web-admin-build security and bug fix update Type/Severity Security Advisory: Important Topic Updated web-admin-build packages that fixes one bug are now available for Red Hat Gluster Storage 35 on Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a secu ...
Red Hat: Important: Red Hat OpenShift Service Mesh 1.0 servicemesh-grafana security update
Synopsis Important: Red Hat OpenShift Service Mesh 10 servicemesh-grafana security update Type/Severity Security Advisory: Important Topic An update for servicemesh-grafana is now available for OpenShift Service Mesh 10Red Hat Product Security has rated this update as having a security impact of Importan ...
Red Hat: Important: Red Hat Ceph Storage 4.2 security and bug fix update
Synopsis Important: Red Hat Ceph Storage 42 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat Ceph Storage 42Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CV ...
Red Hat: Moderate: OpenShift Container Platform 4.4.11 grafana-container security update
Übersicht Moderate: OpenShift Container Platform 4411 grafana-container security update Typ/Schweregrad Security Advisory: Moderate Thema An update for grafana-container is now available for Red Hat OpenShift Container Platform 44Red Hat Product Security has rated this update as having a security impac ...
Red Hat: Important: Red Hat OpenShift Service Mesh servicemesh-grafana security update
Übersicht Important: Red Hat OpenShift Service Mesh servicemesh-grafana security update Typ/Schweregrad Security Advisory: Important Thema An update for servicemesh-grafana is now available for OpenShift Service Mesh 11Red Hat Product Security has rated this update as having a security impact of Importan ...
Red Hat: Important: grafana security update
Synopsis Important: grafana security update Type/Severity Security Advisory: Important Topic An update for grafana is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Analyzer viewpoint
Multiple vulnerabilities have been found in Hitachi Ops Center Analyzer viewpoint CVE-2020-11110, CVE-2020-12245, CVE-2020-12458, CVE-2020-13379, CVE-2020-13430 Affected products and versions are listed below Please upgrade your version to the appropriate version ...

Exploits

Exploit DB: Grafana 7.0.1 Denial Of Service
Grafana version 701 denial of service proof of concept exploit ...

Mailing Lists

Full Disclosure: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Grafana 674 and 702 released with fix for CVE-2020-13379 <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Rich ...

Github Repositories

https://github.com/webexplo1t/Jaeles

Jaeles is a powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner Painless integrate Jaeles into your recon workflow? Enjoying this tool? Support it's development and take your game to the next level by using HunterSuiteio Installation Download precompiled version here If you have a Go environment, mak

https://github.com/MustafaSky/Guide-to-SSRF

Guide to SSRF

Guide to SSRF 🌐 The Basics Server Side Request Forgery (OWASP) SSRF: Web App Security Basics SSRF-Server Side Request Forgery What is Server-Side Request Forgery (SSRF)? SSRF: What is Server Side Request Forgery? Understanding the Web Vulnerability Server-Side Request Forgery (1/2) Exploiting the SSRF vulnerability (2/2) 3 Types of SSRF Attacks and How to Prevent Them SSRF

https://github.com/The-Cracker-Technology/jaeles

Jaeles is a powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner Painless integrate Jaeles into your recon workflow? Enjoying this tool? Support it's development and take your game to the next level by using HunterSuiteio Installation Download precompiled version here If you have a Go environment, mak

https://github.com/jaeles-project/jaeles-signatures

Default signature for Jaeles Scanner

This project was part of Osmedeus Engine Check out how it was integrated at @OsmedeusEngine This repo only contain Default Signatures for Jaeles project Pull requests or any ideas are welcome Please read the Official Documentation here for writing your own signature Installation jaeles config init Or Try to c

https://github.com/jaeles-project/jaeles

The Swiss Army knife for automated Web Application Testing

Jaeles is a powerful, flexible and easily extensible framework written in Go for building your own Web Application Scanner Installation Download precompiled version here If you have a Go environment, make sure you have Go &gt;= 117 with Go Modules enable and run the following command go install githubcom/jaeles-project/jaeles@latest

https://github.com/dalersinghmti/SSRF

SSRF Guide to SSRF 🌐 The Basics Server Side Request Forgery (OWASP) SSRF: Web App Security Basics SSRF-Server Side Request Forgery What is Server-Side Request Forgery (SSRF)? SSRF: What is Server Side Request Forgery? Understanding the Web Vulnerability Server-Side Request Forgery (1/2) Exploiting the SSRF vulnerability (2/2) 3 Types of SSRF Attacks and How to Prevent Them

https://github.com/b1n4ryx/oscp-cheatsheet

Comprehensive cheat sheet for OSCP lab and exam this is with a format for Obsiden template, you can just download and import to use as template with the help of obsiden templater plugin to avoid manual editing of IP address 1 Basic Enumeration Tools &amp; Commands 11 Nmap Commands # only open port nmap &lt;% tpfrontmatter["Target IP"] %&gt; -p- -Pn -T4

References

CWE-918http://www.openwall.com/lists/oss-security/2020/06/03/4https://community.grafana.com/t/release-notes-v6-7-x/27119https://community.grafana.com/t/release-notes-v7-0-x/29381https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/https://security.netapp.com/advisory/ntap-20200608-0006/http://www.openwall.com/lists/oss-security/2020/06/09/2http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlhttps://mostwanted002.cf/post/grafanados/http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlhttps://rhynorater.github.io/CVE-2020-13379-Write-Uphttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13%40%3Cissues.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd%40%3Cissues.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60%40%3Cissues.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820%40%3Ccommits.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da%40%3Cissues.ambari.apache.org%3Ehttps://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2020:2676https://github.com/MustafaSky/Guide-to-SSRFhttps://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2020-131/index.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook