Rapid7 Vulnerability & Exploit Database

Oracle Linux: CVE-2020-13379: ELSA-2020-2641: grafana security update (IMPORTANT) (Multiple Advisories)

Free InsightVM Trial No Credit Card Necessary

2024 Attack Intel Report Latest research by Rapid7 Labs

Back to Search

Oracle Linux: CVE-2020-13379: ELSA-2020-2641: grafana security update (IMPORTANT) (Multiple Advisories)

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:C)

Published

06/03/2020

Created

06/16/2020

Added

06/13/2020

Modified

12/06/2024

Description

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return its result to the user or client. Additionally, the same issue can create a NULL pointer dereference vulnerability. This flaw allows an attacker to gain information about the network that Grafana is running on, or cause a segmentation fault, resulting in a denial of service.

Solution(s)

oracle-linux-upgrade-grafana
oracle-linux-upgrade-grafana-azure-monitor
oracle-linux-upgrade-grafana-cloudwatch
oracle-linux-upgrade-grafana-elasticsearch
oracle-linux-upgrade-grafana-graphite
oracle-linux-upgrade-grafana-influxdb
oracle-linux-upgrade-grafana-loki
oracle-linux-upgrade-grafana-mssql
oracle-linux-upgrade-grafana-mysql
oracle-linux-upgrade-grafana-opentsdb
oracle-linux-upgrade-grafana-postgres
oracle-linux-upgrade-grafana-prometheus
oracle-linux-upgrade-grafana-stackdriver
oracle-linux-upgrade-kubeadm
oracle-linux-upgrade-kubectl
oracle-linux-upgrade-kubelet
oracle-linux-upgrade-kubernetes-cni
oracle-linux-upgrade-kubernetes-cni-plugins
oracle-linux-upgrade-olcne-agent
oracle-linux-upgrade-olcne-api-server
oracle-linux-upgrade-olcnectl
oracle-linux-upgrade-olcne-istio-chart
oracle-linux-upgrade-olcne-nginx
oracle-linux-upgrade-olcne-prometheus-chart
oracle-linux-upgrade-olcne-utils

References

https://attackerkb.com/topics/cve-2020-13379
CVE - 2020-13379
ELSA-2020-2641
ELSA-2020-5726

Advanced vulnerability management analytics and reporting.

Key Features

Lightweight Endpoint Agent
Live Dashboards
Real Risk Prioritization
IT-Integrated Remediation Projects
Cloud, Virtual, and Container Assessment
Integrated Threat Feeds
Easy-to-Use RESTful API
Automation-Assisted Patching
Automated Containment

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Oracle Linux: CVE-2020-13379: ELSA-2020-2641: grafana security update (IMPORTANT) (Multiple Advisories)

Oracle Linux: CVE-2020-13379: ELSA-2020-2641: grafana security update (IMPORTANT) (Multiple Advisories)

Description

Solution(s)

References

Submit your information and we will get in touch with you.

Thank you for contacting us.

We will be in touch shortly.