CVE-2020-13379
Publication date 3 June 2020
Last updated 25 August 2025
Ubuntu priority
Description
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| grafana | 22.04 LTS jammy | Not in release |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.2 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
References
Other references
- https://www.openwall.com/lists/oss-security/2020/06/03/4
- https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
- http://www.openwall.com/lists/oss-security/2020/06/03/4
- https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408
- https://community.grafana.com/t/release-notes-v6-7-x/27119
- https://community.grafana.com/t/release-notes-v7-0-x/29381
- https://www.cve.org/CVERecord?id=CVE-2020-13379