Date: Wed, 3 Jun 2020 15:34:26 +0200 From: Richard Hartmann <richih.mailinglist@...il.com> To: oss-security@...ts.openwall.com Subject: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 Dear all, today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases include an important security fix for an issue that affects all Grafana versions from 3.0.1 to 7.0.1. Incorrect access control vulnerability (CVE-2020-13379) We received a security report to security@...fana.com on May 14, 2020, about a vulnerability in Grafana regarding the avatar feature. It was later identified as affecting Grafana versions from 3.0.1 to 7.0.1. CVE-2020-13379 has been assigned to this vulnerability. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. If for some reason you cannot upgrade, the impact can be mitigated by blocking access to the avatar feature by blocking the /avatar/* URL via a web application firewall, load balancer, reverse proxy, or similar. It can also be mitigated by restricting access to Grafana. Affected versions Grafana releases 3.0.1 through 7.0.1 Patched versions 7.x and 6.7.x Solutions and mitigations Download and install the appropriate patch for your version of Grafana. Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries, under embargo, on May 27. Further information can be found at https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ Richard
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.