Grafana 7.0.2 and 6.7.4 Security Update

We received a security report to security@grafana.com on May 14, 2020, about a vulnerability in Grafana involving incorrect access to the HTTP API. It was later identified as affecting Grafana versions from 3.0.1 to 7.0.1. CVE-2020-13379 has been reserved for this vulnerability.

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.

A more detailed report can be found on our blog.

Affected versions

Grafana releases 3.0.1 through 7.0.1 are affected by this vulnerability.

Patched versions

7.x and 6.7.x

Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers have been provided with updated binaries.

Conclusion

If you run a Grafana instance between version 3.0.1 and 7/0.1, please upgrade to Grafana 6.7.4 or 7.0.2 as soon as possible.

2 Likes