CVE-2020-13379
CVE-2020-13379
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
Productos afectados
n/a · n/aPoCs públicas encontradas — 2
cve_referencepacketstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.htmlno verificadoexploitdbwww.exploit-db.com/exploits/48638no verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.htmlhttp://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.htmlhttps://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408https://community.grafana.com/t/release-notes-v6-7-x/27119https://community.grafana.com/t/release-notes-v7-0-x/29381https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933%40%3Cdev.ambari.apache.org%3Ehttps://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60%40%3Cissues.ambari.apache.org%3E