oss-sec mailing list archives
Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379
From: Richard Hartmann <richih.mailinglist () gmail com>
Date: Tue, 9 Jun 2020 12:08:24 +0200
Thank you to Mark Cooper from Red Hat, BCC'ed, for pointing out that the same issue could be abused for DOS via SegFault. We are updating our blog post and will update the CVE as well. Best, Richard On Wed, Jun 3, 2020 at 3:34 PM Richard Hartmann <richih.mailinglist () gmail com> wrote:
Dear all, today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases include an important security fix for an issue that affects all Grafana versions from 3.0.1 to 7.0.1. Incorrect access control vulnerability (CVE-2020-13379) We received a security report to security () grafana com on May 14, 2020, about a vulnerability in Grafana regarding the avatar feature. It was later identified as affecting Grafana versions from 3.0.1 to 7.0.1. CVE-2020-13379 has been assigned to this vulnerability. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. If for some reason you cannot upgrade, the impact can be mitigated by blocking access to the avatar feature by blocking the /avatar/* URL via a web application firewall, load balancer, reverse proxy, or similar. It can also be mitigated by restricting access to Grafana. Affected versions Grafana releases 3.0.1 through 7.0.1 Patched versions 7.x and 6.7.x Solutions and mitigations Download and install the appropriate patch for your version of Grafana. Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries, under embargo, on May 27. Further information can be found at https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ Richard
-- Richard
Current thread:
- Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 Richard Hartmann (Jun 03)
- Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 Richard Hartmann (Jun 09)