InformationSecurity

[CVE-2020-13379] Unauthenticated DoS on Grafana 3.0.1 - 7.0.1

Researchers: Mayank Malik (mostwanted002@protonmail.com) Kartik Sharma (98kartik.sharma@gmail.com) Severity: Medium Version: 3.0.1 to 7.0.1 Vulnerable Endpoint: http://<grafanaHost>/avatar/* Overview Grafana is the open-source analytics & monitoring solution for every database. According to Grafana’s patch notes dated June 3rd, 2020, there was an “Incorrect Access Control” vulnerability in Grafana 3.0.1 through Grafana 7.0.1 on the /avatar feature through which an attacker/adversary was able to perform Server Side Request Forgery (SSRF) attack. We came to know about this vulnerability and created a lab for reproducing the same impact.