Date: Tue, 9 Jun 2020 12:08:24 +0200 From: Richard Hartmann <richih.mailinglist@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Grafana 6.7.4 and 7.0.2 released with fix for CVE-2020-13379 Thank you to Mark Cooper from Red Hat, BCC'ed, for pointing out that the same issue could be abused for DOS via SegFault. We are updating our blog post and will update the CVE as well. Best, Richard On Wed, Jun 3, 2020 at 3:34 PM Richard Hartmann <richih.mailinglist@...il.com> wrote: > > Dear all, > > today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases > include an important security fix for an issue that affects all > Grafana versions from 3.0.1 to 7.0.1. > > Incorrect access control vulnerability (CVE-2020-13379) > We received a security report to security@...fana.com on May 14, 2020, > about a vulnerability in Grafana regarding the avatar feature. It was > later identified as affecting Grafana versions from 3.0.1 to 7.0.1. > CVE-2020-13379 has been assigned to this vulnerability. > > This vulnerability allows any unauthenticated user/client to make > Grafana send HTTP requests to any URL and return its result to the > user/client. This can be used to gain information about the network > that Grafana is running on. > > If for some reason you cannot upgrade, the impact can be mitigated by > blocking access to the avatar feature by blocking the /avatar/* URL > via a web application firewall, load balancer, reverse proxy, or > similar. It can also be mitigated by restricting access to Grafana. > > Affected versions > Grafana releases 3.0.1 through 7.0.1 > > Patched versions > 7.x and 6.7.x > > Solutions and mitigations > Download and install the appropriate patch for your version of Grafana. > > Grafana Cloud instances have already been patched, and Grafana > Enterprise customers were provided with updated binaries, under > embargo, on May 27. > > Further information can be found at > https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/ > > > Richard -- Richard
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.