Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379

[Richard Hartmann <richih.mailinglist () gmail com>]

Thank you to Mark Cooper from Red Hat, BCC'ed, for pointing out that
the same issue could be abused for DOS via SegFault.

We are updating our blog post and will update the CVE as well.


Best,
Richard

On Wed, Jun 3, 2020 at 3:34 PM Richard Hartmann
<richih.mailinglist () gmail com> wrote:
> Dear all,
>
> today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases
> include an important security fix for an issue that affects all
> Grafana versions from 3.0.1 to 7.0.1.
>
> Incorrect access control vulnerability (CVE-2020-13379)
> We received a security report to security () grafana com on May 14, 2020,
> about a vulnerability in Grafana regarding the avatar feature. It was
> later identified as affecting Grafana versions from 3.0.1 to 7.0.1.
> CVE-2020-13379 has been assigned to this vulnerability.
>
> This vulnerability allows any unauthenticated user/client to make
> Grafana send HTTP requests to any URL and return its result to the
> user/client. This can be used to gain information about the network
> that Grafana is running on.
>
> If for some reason you cannot upgrade, the impact can be mitigated by
> blocking access to the avatar feature by blocking the /avatar/* URL
> via a web application firewall, load balancer, reverse proxy, or
> similar. It can also be mitigated by restricting access to Grafana.
>
> Affected versions
> Grafana releases 3.0.1 through 7.0.1
>
> Patched versions
> 7.x and 6.7.x
>
> Solutions and mitigations
> Download and install the appropriate patch for your version of Grafana.
>
> Grafana Cloud instances have already been patched, and Grafana
> Enterprise customers were provided with updated binaries, under
> embargo, on May 27.
>
> Further information can be found at
> https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
>
>
> Richard



-- 
Richard