We received a security report to email@example.com on May 14, 2020, about a vulnerability in Grafana involving incorrect access to the HTTP API. It was later identified as affecting Grafana versions from 3.0.1 to 7.0.1. CVE-2020-13379 has been reserved for this vulnerability.
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.
A more detailed report can be found on our blog.
Grafana releases 3.0.1 through 7.0.1 are affected by this vulnerability.
7.x and 6.7.x
Solutions and mitigations
Download and install the appropriate patch for your version of Grafana.