CVE-2020-13379: CVE-2020-13379

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-13379

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Grafana 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 3.0.1版本至7.0.1版本中的avatar功能存在远程代码执行漏洞，该漏洞源于不正确的访问控制。远程攻击者可利用该漏洞使其向任意URL发送请求，获取返回的信息（包括Grafana运行的网络）。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	n/a	n/a	-

II. Public POCs for CVE-2020-13379

#	POC Description	Source Link	Shenlong Link
1	Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-13379.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2020-13379

Please Login to view more intelligence information

https://community.grafana.com/t/release-notes-v6-7-x/27119x_refsource_MISC
https://community.grafana.com/t/release-notes-v7-0-x/29381x_refsource_MISC
https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408x_refsource_MISC
http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.htmlx_refsource_MISC
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/x_refsource_CONFIRM
https://mostwanted002.cf/post/grafanados/x_refsource_MISC
https://security.netapp.com/advisory/ntap-20200608-0006/x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/06/03/4x_refsource_CONFIRM
https://rhynorater.github.io/CVE-2020-13379-Write-Upx_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlvendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlvendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlvendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.htmlvendor-advisoryx_refsource_SUSE
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/vendor-advisoryx_refsource_FEDORA
http://www.openwall.com/lists/oss-security/2020/06/09/2mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r6bb57124a21bb638f552d81650c66684e70fc1ff9f40b6a8840171cd%40%3Cissues.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60%40%3Cissues.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/re75f59639f3bc1d14c7ab362bc4485ade84f3c6a3c1a03200c20fe13%40%3Cissues.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r984c3b42a500f5a6a89fbee436b9432fada5dc27ebab04910aafe4da%40%3Cissues.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rd0fd283e3844b9c54cd5ecc92d966f96d3f4318815bbf3ac41f9c820%40%3Ccommits.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rad99b06d7360a5cf6e394afb313f8901dcd4cb777aee9c9197b3b23d%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rba0247a27be78bd14046724098462d058a9969400a82344b3007cf90%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/re7c4b251b52f49ba6ef752b829bca9565faaf93d03206b1db6644d31%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rff71126fa7d9f572baafb9be44078ad409c85d2c0f3e26664f1ef5a2%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4%40%3Cdev.ambari.apache.org%3Emailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2020-13379

New Vulnerabilities

Product: n/a

Vendor: n/a

V. Comments for CVE-2020-13379

No comments yet

Support Us — Your donation helps us keep running

I. Basic Information for CVE-2020-13379

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2020-13379

III. Intelligence Information for CVE-2020-13379

New Vulnerabilities

V. Comments for CVE-2020-13379

Leave a comment