CVE-2020-13379

HIGH EXPLOITED IN THE WILD NUCLEI

Grafana 3.0.1-7.0.1 - SSRF

Title source: llm

Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

Exploits (2)

exploitdb WORKING POC

by mostwanted002 · bashdoslinux

https://www.exploit-db.com/exploits/48638

View Code ZIP pw:eip

github WORKING POC 1 stars

by vadimgggg · pythonpoc

https://github.com/vadimgggg/CVE-PoC/tree/main/CVE-2020-13379

View Code ZIP pw:eip

Nuclei Templates (1)

Grafana 3.0.1-7.0.1 - Server-Side Request Forgery

HIGHVERIFIEDby Joshua Rogers

Shodan: title:"Grafana" || cpe:"cpe:2.3:a:grafana:grafana" || http.title:"grafana"

FOFA: title="grafana" || app="grafana"

References (28)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00083.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00009.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00017.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/158320/Grafana-7.0.1-Denial-Of-Service.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/06/03/4

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/06/09/2

[Vendor Advisory] https://community.grafana.com/t/grafana-7-0-2-and-6-7-4-security-update/31408

[Release Notes, Vendor Advisory] https://community.grafana.com/t/release-notes-v6-7-x/27119

[Release Notes, Vendor Advisory] https://community.grafana.com/t/release-notes-v7-0-x/29381

[Vendor Advisory] https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/

[Mailing List] https://lists.apache.org/thread.html/r0928ee574281f8b6156e0a6d0291bfc27100a9dd3f9b0177ece24ae4%40%3Cdev.ambari.apache.org%3E

[Exploit, Third Party Advisory] https://mostwanted002.cf/post/grafanados/

[Exploit, Third Party Advisory] https://rhynorater.github.io/CVE-2020-13379-Write-Up

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200608-0006/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EEKSZ6GE4EDOFZ23NGYWOCMD6O4JF5SO/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O2KSCCGKNEENZN3DW7TSPFBBUZH3YZXZ/

[Mailing List] https://lists.apache.org/thread.html/r093b405a49fd31efa0d949ac1a887101af1ca95652a66094194ed933%40%3Cdev.ambari.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r40f0a97b6765de6b8938bc212ee9dfb5101e9efa48bcbbdec02b2a60%40%3Cissues.ambari.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r6670a6c29044bcb77d4e5d165b5bd13fffe37b84caa5d6471b13b3a2%40%3Cdev.ambari.apache.org%3E

... and 8 more

Scores

CVSS v3 8.2

EPSS 0.9284

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Details

VulnCheck KEV 2024-03-07

InTheWild.io 2021-04-18

CWE

CWE-918

Status published

Products (7)

fedoraproject/fedora 31

fedoraproject/fedora 32

grafana/grafana 3.0.1 - 6.7.4Go

grafana/grafana 3.0.1 - 7.0.1

netapp/e-series_performance_analyzer

opensuse/backports_sle 15.0 sp1 (2 CPE variants)

opensuse/leap 15.2

Published Jun 03, 2020

Tracked Since Feb 18, 2026