⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.
CVE-2020-13379 — Server-Side Request Forgery in Grafana Grafana
Severity
8.2HIGHNVD
EPSS
92.8%
top 0.23%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedJun 3
Latest updateFeb 15
Description
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2
Affected Packages4 packages
Also affects: Fedora 31, 32
🔴Vulnerability Details
4💥Exploits & PoCs
2Nuclei▶
Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
📋Vendor Advisories
1Red Hat▶
grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL↗2020-06-03
💬Community
2Bugzilla▶
CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL [fedora-all]↗2020-06-03
Bugzilla▶
CVE-2020-13379 grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL↗2020-06-03