Enhancement: cves/2020/CVE-2020-13379.yaml by md
parent
af12899320
commit
baaa75856f
|
@ -1,16 +1,16 @@
|
|||
id: CVE-2020-13379
|
||||
|
||||
info:
|
||||
name: Grafana 3.0.1 <= 7.0.1 Server Side Request Forgery
|
||||
name: Grafana 3.0.1-7.0.1 - Server-Side Request Forgery
|
||||
author: Joshua Rogers
|
||||
severity: high
|
||||
description: |
|
||||
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue that allows remote code execution. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.
|
||||
Grafana 3.0.1 through 7.0.1 is susceptible to server-side request forgery via the avatar feature, which can lead to remote code execution. Any unauthenticated user/client can make Grafana send HTTP requests to any URL and return its result. This can be used to gain information about the network Grafana is running on, thereby potentially enabling an attacker to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
|
||||
reference:
|
||||
- https://github.com/advisories/GHSA-wc9w-wvq2-ffm9
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-13379
|
||||
- https://github.com/grafana/grafana/commit/ba953be95f0302c2ea80d23f1e5f2c1847365192
|
||||
- http://www.openwall.com/lists/oss-security/2020/06/03/4
|
||||
- https://nvd.nist.gov/vuln/detail/CVE-2020-13379
|
||||
remediation: Upgrade to 6.3.4 or higher.
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
|
||||
|
@ -44,4 +44,6 @@ requests:
|
|||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
- 200
|
||||
|
||||
# Enhanced by md on 2023/04/12
|
||||
|
|
Loading…
Reference in New Issue