The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5726 advisory.

  - A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows     malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious     container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other     containers, to redirect traffic to the malicious container. (CVE-2020-10749)

  - The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This     vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and     return its result to the user/client. This can be used to gain information about the network that Grafana     is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
    (CVE-2020-13379)

  - The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9,     v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain     authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the     master's host network (such as link-local or loopback services). (CVE-2020-8555)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1518 advisory.

  - ceph: specially crafted XML payload on POST requests leads to DoS by crashing RGW (CVE-2020-12059)

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

  - ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila     (CVE-2020-27781)

  - tcmu-runner: SCSI target (LIO) write to any block on ILO backstore (CVE-2021-3139)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2020:2641 advisory.

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:5599 advisory.

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for grafana, grafana-piechart-panel, grafana-status-panel fixes the following issues :

grafana was updated to version 7.0.3 :

  - Features / Enhancements

  - Stats: include all fields. #24829, @ryantxu

  - Variables: change VariableEditorList row action Icon to     IconButton. #25217, @hshoff

  - Bug fixes

  - Cloudwatch: Fix dimensions of DDoSProtection. #25317,     @papagian

  - Configuration: Fix env var override of sections     containing hyphen. #25178, @marefr

  - Dashboard: Get panels in collapsed rows. #25079,     @peterholmberg

  - Do not show alerts tab when alerting is disabled.
    #25285, @dprokop

  - Jaeger: fixes cascader option label duration value.
    #25129, @Estrax

  - Transformations: Fixed Transform tab crash & no update     after adding first transform. #25152, @torkelo

Update to version 7.0.2

  - Bug fixes

  - Security: Urgent security patch release to fix     CVE-2020-13379

Update to version 7.0.1

  - Features / Enhancements

  - Datasource/CloudWatch: Makes CloudWatch Logs query     history more readable. #24795, @kaydelaney

  - Download CSV: Add date and time formatting. #24992,     @ryantxu

  - Table: Make last cell value visible when right aligned.
    #24921, @peterholmberg

  - TablePanel: Adding sort order persistance. #24705,     @torkelo

  - Transformations: Display correct field name when using     reduce transformation. #25068, @peterholmberg

  - Transformations: Allow custom number input for binary     operations. #24752, @ryantxu

  - Bug fixes

  - Dashboard/Links: Fixes dashboard links by tags not     working. #24773, @KamalGalrani

  - Dashboard/Links: Fixes open in new window for dashboard     link. #24772, @KamalGalrani

  - Dashboard/Links: Variables are resolved and limits to     100. #25076, @hugohaggmark

  - DataLinks: Bring back variables interpolation in title.
    #24970, @dprokop

  - Datasource/CloudWatch: Field suggestions no longer     limited to prefix-only. #24855, @kaydelaney

  - Explore/Table: Keep existing field types if possible.
    #24944, @kaydelaney

  - Explore: Fix wrap lines toggle for results of queries     with filter expression. #24915, @ivanahuckova

  - Explore: fix undo in query editor. #24797, @zoltanbedi

  - Explore: fix word break in type head info. #25014,     @zoltanbedi

  - Graph: Legend decimals now work as expected. #24931,     @torkelo

  - LoginPage: Fix hover color for service buttons. #25009,     @tskarhed

  - LogsPanel: Fix scrollbar. #24850, @ivanahuckova

  - MoveDashboard: Fix for moving dashboard caused all     variables to be lost. #25005, @torkelo

  - Organize transformer: Use display name in field order     comparer. #24984, @dprokop

  - Panel: shows correct panel menu items in view mode.
    #24912, @hugohaggmark

  - PanelEditor Fix missing labels and description if there     is only single option in category. #24905, @dprokop

  - PanelEditor: Overrides name matcher still show all     original field names even after Field default display     name is specified. #24933, @torkelo

  - PanelInspector: Makes sure Data display options are     visible. #24902, @hugohaggmark

  - PanelInspector: Hides unsupported data display options     for Panel type. #24918, @hugohaggmark

  - PanelMenu: Make menu disappear on button press. #25015,     @tskarhed

  - Postgres: Fix add button. #25087, @phemmer

  - Prometheus: Fix recording rules expansion. #24977,     @ivanahuckova

  - Stackdriver: Fix creating Service Level Objectives (SLO)     datasource query variable. #25023, @papagian

Update to version 7.0.0 

  - Breaking changes

  - Removed PhantomJS: PhantomJS was deprecated in Grafana     v6.4 and starting from Grafana v7.0.0, all PhantomJS     support has been removed. This means that Grafana no     longer ships with a built-in image renderer, and we     advise you to install the Grafana Image Renderer plugin.

  - Dashboard: A global minimum dashboard refresh interval     is now enforced and defaults to 5 seconds.

  - Interval calculation: There is now a new option Max data     points that controls the auto interval $__interval     calculation. Interval was previously calculated by     dividing the panel width by the time range. With the new     max data points option it is now easy to set $__interval     to a dynamic value that is time range agnostic. For     example if you set Max data points to 10 Grafana will     dynamically set $__interval by dividing the current time     range by 10.

  - Datasource/Loki: Support for deprecated Loki endpoints     has been removed.

  - Backend plugins: Grafana now requires backend plugins to     be signed, otherwise Grafana will not load/start them.
    This is an additional security measure to make sure     backend plugin binaries and files haven't been tampered     with. Refer to Upgrade Grafana for more information.

  - @grafana/ui: Forms migration notice, see @grafana/ui     changelog

  - @grafana/ui: Select API change for creating custom     values, see @grafana/ui changelog

  + Deprecation warnings

  - Scripted dashboards is now deprecated. The feature is     not removed but will be in a future release. We hope to     address the underlying requirement of dynamic dashboards     in a different way. #24059

  - The unofficial first version of backend plugins together     with usage of grafana/grafana-plugin-model is now     deprecated and support for that will be removed in a     future release. Please refer to backend plugins     documentation for information about the new officially     supported backend plugins.

  - Features / Enhancements

  - Backend plugins: Log deprecation warning when using the     unofficial first version of backend plugins. #24675,     @marefr

  - Editor: New line on Enter, run query on Shift+Enter.
    #24654, @davkal

  - Loki: Allow multiple derived fields with the same name.
    #24437, @aocenas

  - Orgs: Add future deprecation notice. #24502, @torkelo

  - Bug Fixes

  - @grafana/toolkit: Use process.cwd() instead of PWD to     get directory. #24677, @zoltanbedi

  - Admin: Makes long settings values line break in settings     page. #24559, @hugohaggmark

  - Dashboard: Allow editing provisioned dashboard JSON and     add confirmation when JSON is copied to dashboard.
    #24680, @dprokop

  - Dashboard: Fix for strange 'dashboard not found' errors     when opening links in dashboard settings. #24416,     @torkelo

  - Dashboard: Fix so default data source is selected when     data source can't be found in panel editor. #24526,     @mckn

  - Dashboard: Fixed issue changing a panel from transparent     back to normal in panel editor. #24483, @torkelo

  - Dashboard: Make header names reflect the field name when     exporting to CSV file from the the panel inspector.
    #24624, @peterholmberg

  - Dashboard: Make sure side pane is displayed with tabs by     default in panel editor. #24636, @dprokop

  - Data source: Fix query/annotation help content     formatting. #24687, @AgnesToulet

  - Data source: Fixes async mount errors. #24579, @Estrax

  - Data source: Fixes saving a data source without failure     when URL doesn't specify a protocol. #24497, @aknuds1

  - Explore/Prometheus: Show results of instant queries only     in table. #24508, @ivanahuckova

  - Explore: Fix rendering of react query editors. #24593,     @ivanahuckova

  - Explore: Fixes loading more logs in logs context view.
    #24135, @Estrax

  - Graphite: Fix schema and dedupe strategy in rollup     indicators for Metrictank queries. #24685, @torkelo

  - Graphite: Makes query annotations work again. #24556,     @hugohaggmark

  - Logs: Clicking 'Load more' from context overlay doesn't     expand log row. #24299, @kaydelaney

  - Logs: Fix total bytes process calculation. #24691,     @davkal

  - Org/user/team preferences: Fixes so UI Theme can be set     back to Default. #24628, @AgnesToulet

  - Plugins: Fix manifest validation. #24573, @aknuds1

  - Provisioning: Use proxy as default access mode in     provisioning. #24669, @bergquist

  - Search: Fix select item when pressing enter and Grafana     is served using a sub path. #24634, @tskarhed

  - Search: Save folder expanded state. #24496, @Clarity-89

  - Security: Tag value sanitization fix in OpenTSDB data     source. #24539, @rotemreiss

  - Table: Do not include angular options in options when     switching from angular panel. #24684, @torkelo

  - Table: Fixed persisting column resize for time series     fields. #24505, @torkelo

  - Table: Fixes Cannot read property subRows of null.
    #24578, @hugohaggmark

  - Time picker: Fixed so you can enter a relative range in     the time picker without being converted to absolute     range. #24534, @mckn

  - Transformations: Make transform dropdowns not cropped.
    #24615, @dprokop

  - Transformations: Sort order should be preserved as     entered by user when using the reduce transformation.
    #24494, @hugohaggmark

  - Units: Adds scale symbol for currencies with suffixed     symbol. #24678, @hugohaggmark

  - Variables: Fixes filtering options with more than 1000     entries. #24614, @hugohaggmark

  - Variables: Fixes so Textbox variables read value from     url. #24623, @hugohaggmark

  - Zipkin: Fix error when span contains remoteEndpoint.
    #24524, @aocenas

  - SAML: Switch from email to login for user login     attribute mapping (Enterprise)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2861 advisory.

  - kubernetes: YAML parsing vulnerable to Billion Laughs attack, allowing for remote denial of service     (CVE-2019-11253)

  - grafana: XSS annotation popup vulnerability (CVE-2020-12052)

  - grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

  - grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

  - npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function     deleteFunctions within index.js (CVE-2020-7660)

  - npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2796 advisory.

  - kubernetes: YAML parsing vulnerable to Billion Laughs attack, allowing for remote denial of service     (CVE-2019-11253)

  - npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)

  - npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function     deleteFunctions within index.js (CVE-2020-7660)

  - npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)

  - grafana: XSS annotation popup vulnerability (CVE-2020-12052)

  - grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

  - grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2676 advisory.

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2020:2641 :

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2641 advisory.

  - grafana: SSRF incorrect access control vulnerability     allows unauthenticated users to make grafana send HTTP     requests to any URL (CVE-2020-13379)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2641 advisory.

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security fix for CVE-2020-13379

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
180932	Oracle Linux 7 : grafana / kubernetes-cni / kubernetes-cni-plugins / kubernetes / kubernetes / olcne (ELSA-2020-5726)	Nessus	Oracle Linux Local Security Checks	high
149317	RHEL 7 : Red Hat Ceph Storage 3.3 Security and Bug Fix Update (Important) (RHSA-2021:1518)	Nessus	Red Hat Local Security Checks	high
145905	CentOS 8 : grafana (CESA-2020:2641)	Nessus	CentOS Local Security Checks	high
144408	RHEL 7 : web-admin-build (RHSA-2020:5599)	Nessus	Red Hat Local Security Checks	high
139022	openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)	Nessus	SuSE Local Security Checks	high
138793	SUSE SLES12 Security Update : SUSE Manager Client Tools (SUSE-SU-2020:1970-1)	Nessus	SuSE Local Security Checks	high
138710	openSUSE Security Update : grafana / grafana-piechart-panel / grafana-status-panel (openSUSE-2020-892)	Nessus	SuSE Local Security Checks	high
138178	RHEL 8 : Red Hat OpenShift Service Mesh 1.0 servicemesh-grafana (RHSA-2020:2861)	Nessus	Red Hat Local Security Checks	high
138031	RHEL 8 : Red Hat OpenShift Service Mesh servicemesh-grafana (RHSA-2020:2796)	Nessus	Red Hat Local Security Checks	high
137829	RHEL 8 : grafana (RHSA-2020:2676)	Nessus	Red Hat Local Security Checks	high
137771	Oracle Linux 8 : grafana (ELSA-2020-2641)	Nessus	Oracle Linux Local Security Checks	high
137708	RHEL 8 : grafana (RHSA-2020:2641)	Nessus	Red Hat Local Security Checks	high
137433	Fedora 31 : grafana (2020-e6e81a03d6)	Nessus	Fedora Local Security Checks	high
137427	Fedora 32 : grafana (2020-a09e5be0be)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2020-13379

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high