On 3rd June 2020, Grafana published a security advisory addressing CVE-2020-13379, SSRF (Server-side request
forgery) Incorrect Access Control issue. This is a high-severity vulnerability with a CVSS score of 6.4.
Vulnerability Details
The avatar feature in Grafana has an SSRF Incorrect Access Control issue. This allows unauthenticated attackers to force Grafana to send HTTP requests to any URL and return its result. This allows unauthenticated attackers to gain information about the network that Grafana is running on. Unauthenticated attackers can also pass invalid URL objects to DOS a Grafana instance by segfaulting it.
Exploitation
Attackers can smuggle the parameters in the request while accessing the user’s gravatar image resulting in URL
Parameter Injection. The request can be redirected to other hosts where some of the images are hosted and an
Open Redirection can be made possible. Security Researcher Rhynorater published a detailed report on CVE-2020-13379.
Affected Versions
Grafana 3.0.1 to 7.0.1
Fixed Versions
Grafana 6.7.4 and Grafana 7.0.2
Workaround
The impact can be mitigated by blocking access to the avatar feature by blocking the /avatar/* URL via a web
application firewall, load balancer, reverse proxy, or similar. It can also be mitigated by restricting access to
Grafana.
Detection
Qualys customers can scan their network with QIDs 13791, 158626, 280046, 280047, 158636, 238411, 238415,
173683, 173767 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage
on latest vulnerabilities.
References and Sources
https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/
https://rhynorater.github.io/CVE-2020-13379-Write-Up
https://github.com/grafana/grafana/blob/78febbbeef1f23ccbb88c2bd3acd2e9c2011e02a/pkg/api/api.go#L423
https://docs.google.com/presentation/d/1He_zFFXCuft3LsZTXbHKoDxQHNoSveZg2c2uF1HKuaw/edit#slide=id.g6bd56c9061_0_750