CVE-2020-13379

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-13379
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13379.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-13379
Aliases
Downstream
Related
Published
2020-06-03T19:15:10.737Z
Modified
2026-05-28T04:06:23.392406301Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
[none]
Details

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Database specific 
{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "31"
                },
                {
                    "last_affected": "32"
                }
            ],
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"
            ],
            "vendor_product": "fedoraproject:fedora"
        },
        {
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "last_affected": "15.0-sp1"
                },
                {
                    "last_affected": "15.0-sp2"
                }
            ],
            "cpes": [
                "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
                "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*"
            ],
            "vendor_product": "opensuse:backports_sle"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "15.2"
                }
            ],
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*"
            ],
            "vendor_product": "opensuse:leap"
        }
    ]
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
bbd52c0b713a5220ae0e27f8471aa9877a7e6589
Last affected
ef5b586d7d9e561b78c8aaa098c4e9f1e3a78d62
Database specific 
{
    "cpe": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.0.1"
        },
        {
            "last_affected": "7.0.1"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

7.*
7.0.0
v3.*
v3.0.1
v3.0.2
v3.1.0-beta1
v4.*
v4.4.0
v4.5.0
v4.5.0-beta1
v4.6.0-beta1
v5.*
v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5
v6.*
v6.0.0-beta1
v6.5
v7.*
v7.0.0
v7.0.0-beta3
v7.0.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-13379.json"