Grafana SSRF Vulnerability (CVE-2020-13379)

On 3rd June 2020, Grafana published a security advisory addressing CVE-2020-13379, SSRF (Server-side request
forgery) Incorrect Access Control issue. This is a high-severity vulnerability with a CVSS score of 6.4.

Vulnerability Details

The avatar feature in Grafana has an SSRF Incorrect Access Control issue. This allows unauthenticated attackers to force Grafana to send HTTP requests to any URL and return its result. This allows unauthenticated attackers to gain information about the network that Grafana is running on. Unauthenticated attackers can also pass invalid URL objects to DOS a Grafana instance by segfaulting it.


Attackers can smuggle the parameters in the request while accessing the user’s gravatar image resulting in URL
Parameter Injection. The request can be redirected to other hosts where some of the images are hosted and an
Open Redirection can be made possible. Security Researcher Rhynorater published a detailed report on CVE-2020-13379.

Affected Versions

Grafana 3.0.1 to 7.0.1

Fixed Versions

Grafana 6.7.4 and Grafana 7.0.2


The impact can be mitigated by blocking access to the avatar feature by blocking the /avatar/* URL via a web
application firewall, load balancer, reverse proxy, or similar. It can also be mitigated by restricting access to


Qualys customers can scan their network with QIDs 13791, 158626, 280046, 280047, 158636, 238411, 238415,
173683, 173767 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage
on latest vulnerabilities.

References and Sources

Leave a Reply

Your email address will not be published. Required fields are marked *