Researchers:
Mayank Malik ( mostwanted002@protonmail.com)
Kartik Sharma ( 98kartik.sharma@gmail.com)
Severity: Medium
Version: 3.0.1 to 7.0.1
Vulnerable Endpoint: http://<grafanaHost>/avatar/*
Overview Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar feature through which an attacker/adversary was able to perform Server Side Request Forgery (SSRF) attack.