Security Notices

CVE-2020-13379: Grafana incorrect access control vulnerability

A new security vulnerability in Grafana was recently disclosed affecting all Grafana versions from 3.0.1 to 7.0.1.

This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on.

How to Patch It

We have updated all our solutions to include the latest versions of Grafana for branch 6 (6.7.4). We suggest you upgrade your Grafana installation to the latest version. If, for some reason, you are unable to upgrade your installation, the impact can be mitigated by blocking access to the avatar feature. This can be achieved by blocking requests to the “/avatar/*” URL via a web application firewall, load balancer, reverse proxy, or similar. It can also be mitigated by restricting access to Grafana.

You can find more information about the security issue in the official notice.

Last modification June 4, 2020