The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-5726 advisory.

    - CVE-2020-10749: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
    - CVE-2020-8555: Half-Blind SSRF in kube-controller-manager
    - [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads
    - Update to kubernetes-cni for CVE-2020-10749
    - Update Istio to use Grafana 6.7.4 to address CVE-2020-13379

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1518 advisory.

    Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable     version of the Ceph storage system with a Ceph management platform, deployment utilities, and support     services.

    The ceph-ansible package provides Ansible playbooks for installing, maintaining, and upgrading Red Hat     Ceph Storage.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    The tcmu-runner packages provide a service that handles the complexity of the LIO kernel target's     userspace passthrough interface (TCMU). It presents a C plugin API for extension modules that handle SCSI     requests in ways not possible or suitable to be handled by LIO's in-kernel backstores.

    Security Fix(es):

    * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

    * ceph: User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila     (CVE-2020-27781)

    * tcmu-runner: SCSI target (LIO) write to any block on ILO backstore (CVE-2021-3139)

    * ceph: specially crafted XML payload on POST requests leads to DoS by crashing RGW (CVE-2020-12059)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    This advisory fixes the following bug:

    * When rebooting OSDs, the `_OSD down_` tab in the `_CEPH Backend storage_` dashboard shows the correct     number of OSDs that is `down`. However, when all OSDs are `up` again after the reboot, the tab continues     showing the number of `down` OSDs. With this update, both CLI and Grafana values are matching during osd     up/down operation and working as expected. (BZ#1652233)

    All users of Red Hat Ceph Storage are advised to upgrade to these updated packages.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2020:2641 advisory.

  - grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:5599 advisory.

    Red Hat Gluster Storage is software only scale-out storage solution that     provides flexible and affordable unstructured data storage. It unifies data     storage and infrastructure, increases performance, and improves     availability and manageability to meet enterprise-level storage challenges.

    Security Fix(es):

    * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    This advisory fixes the following bug:

    * Previously, tendrl-node-agent service was unable to import the cluster in a VMware environment as tendrl     was looking for the serial number of the devices. With the current update, tendrl-node-agent service is     able to import the cluster in a VMware environment without failure as the hardware_id and parent_id of the     devices are used after proper validation instead of the serial number. (BZ#1809920)

    Users of web-admin-build with Red Hat Gluster Storage are advised to upgrade to these updated packages.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for grafana, grafana-piechart-panel, grafana-status-panel fixes the following issues :

grafana was updated to version 7.0.3 :

  - Features / Enhancements

  - Stats: include all fields. #24829, @ryantxu

  - Variables: change VariableEditorList row action Icon to     IconButton. #25217, @hshoff

  - Bug fixes

  - Cloudwatch: Fix dimensions of DDoSProtection. #25317,     @papagian

  - Configuration: Fix env var override of sections     containing hyphen. #25178, @marefr

  - Dashboard: Get panels in collapsed rows. #25079,     @peterholmberg

  - Do not show alerts tab when alerting is disabled.
    #25285, @dprokop

  - Jaeger: fixes cascader option label duration value.
    #25129, @Estrax

  - Transformations: Fixed Transform tab crash & no update     after adding first transform. #25152, @torkelo

Update to version 7.0.2

  - Bug fixes

  - Security: Urgent security patch release to fix     CVE-2020-13379

Update to version 7.0.1

  - Features / Enhancements

  - Datasource/CloudWatch: Makes CloudWatch Logs query     history more readable. #24795, @kaydelaney

  - Download CSV: Add date and time formatting. #24992,     @ryantxu

  - Table: Make last cell value visible when right aligned.
    #24921, @peterholmberg

  - TablePanel: Adding sort order persistance. #24705,     @torkelo

  - Transformations: Display correct field name when using     reduce transformation. #25068, @peterholmberg

  - Transformations: Allow custom number input for binary     operations. #24752, @ryantxu

  - Bug fixes

  - Dashboard/Links: Fixes dashboard links by tags not     working. #24773, @KamalGalrani

  - Dashboard/Links: Fixes open in new window for dashboard     link. #24772, @KamalGalrani

  - Dashboard/Links: Variables are resolved and limits to     100. #25076, @hugohaggmark

  - DataLinks: Bring back variables interpolation in title.
    #24970, @dprokop

  - Datasource/CloudWatch: Field suggestions no longer     limited to prefix-only. #24855, @kaydelaney

  - Explore/Table: Keep existing field types if possible.
    #24944, @kaydelaney

  - Explore: Fix wrap lines toggle for results of queries     with filter expression. #24915, @ivanahuckova

  - Explore: fix undo in query editor. #24797, @zoltanbedi

  - Explore: fix word break in type head info. #25014,     @zoltanbedi

  - Graph: Legend decimals now work as expected. #24931,     @torkelo

  - LoginPage: Fix hover color for service buttons. #25009,     @tskarhed

  - LogsPanel: Fix scrollbar. #24850, @ivanahuckova

  - MoveDashboard: Fix for moving dashboard caused all     variables to be lost. #25005, @torkelo

  - Organize transformer: Use display name in field order     comparer. #24984, @dprokop

  - Panel: shows correct panel menu items in view mode.
    #24912, @hugohaggmark

  - PanelEditor Fix missing labels and description if there     is only single option in category. #24905, @dprokop

  - PanelEditor: Overrides name matcher still show all     original field names even after Field default display     name is specified. #24933, @torkelo

  - PanelInspector: Makes sure Data display options are     visible. #24902, @hugohaggmark

  - PanelInspector: Hides unsupported data display options     for Panel type. #24918, @hugohaggmark

  - PanelMenu: Make menu disappear on button press. #25015,     @tskarhed

  - Postgres: Fix add button. #25087, @phemmer

  - Prometheus: Fix recording rules expansion. #24977,     @ivanahuckova

  - Stackdriver: Fix creating Service Level Objectives (SLO)     datasource query variable. #25023, @papagian

Update to version 7.0.0 

  - Breaking changes

  - Removed PhantomJS: PhantomJS was deprecated in Grafana     v6.4 and starting from Grafana v7.0.0, all PhantomJS     support has been removed. This means that Grafana no     longer ships with a built-in image renderer, and we     advise you to install the Grafana Image Renderer plugin.

  - Dashboard: A global minimum dashboard refresh interval     is now enforced and defaults to 5 seconds.

  - Interval calculation: There is now a new option Max data     points that controls the auto interval $__interval     calculation. Interval was previously calculated by     dividing the panel width by the time range. With the new     max data points option it is now easy to set $__interval     to a dynamic value that is time range agnostic. For     example if you set Max data points to 10 Grafana will     dynamically set $__interval by dividing the current time     range by 10.

  - Datasource/Loki: Support for deprecated Loki endpoints     has been removed.

  - Backend plugins: Grafana now requires backend plugins to     be signed, otherwise Grafana will not load/start them.
    This is an additional security measure to make sure     backend plugin binaries and files haven't been tampered     with. Refer to Upgrade Grafana for more information.

  - @grafana/ui: Forms migration notice, see @grafana/ui     changelog

  - @grafana/ui: Select API change for creating custom     values, see @grafana/ui changelog

  + Deprecation warnings

  - Scripted dashboards is now deprecated. The feature is     not removed but will be in a future release. We hope to     address the underlying requirement of dynamic dashboards     in a different way. #24059

  - The unofficial first version of backend plugins together     with usage of grafana/grafana-plugin-model is now     deprecated and support for that will be removed in a     future release. Please refer to backend plugins     documentation for information about the new officially     supported backend plugins.

  - Features / Enhancements

  - Backend plugins: Log deprecation warning when using the     unofficial first version of backend plugins. #24675,     @marefr

  - Editor: New line on Enter, run query on Shift+Enter.
    #24654, @davkal

  - Loki: Allow multiple derived fields with the same name.
    #24437, @aocenas

  - Orgs: Add future deprecation notice. #24502, @torkelo

  - Bug Fixes

  - @grafana/toolkit: Use process.cwd() instead of PWD to     get directory. #24677, @zoltanbedi

  - Admin: Makes long settings values line break in settings     page. #24559, @hugohaggmark

  - Dashboard: Allow editing provisioned dashboard JSON and     add confirmation when JSON is copied to dashboard.
    #24680, @dprokop

  - Dashboard: Fix for strange 'dashboard not found' errors     when opening links in dashboard settings. #24416,     @torkelo

  - Dashboard: Fix so default data source is selected when     data source can't be found in panel editor. #24526,     @mckn

  - Dashboard: Fixed issue changing a panel from transparent     back to normal in panel editor. #24483, @torkelo

  - Dashboard: Make header names reflect the field name when     exporting to CSV file from the the panel inspector.
    #24624, @peterholmberg

  - Dashboard: Make sure side pane is displayed with tabs by     default in panel editor. #24636, @dprokop

  - Data source: Fix query/annotation help content     formatting. #24687, @AgnesToulet

  - Data source: Fixes async mount errors. #24579, @Estrax

  - Data source: Fixes saving a data source without failure     when URL doesn't specify a protocol. #24497, @aknuds1

  - Explore/Prometheus: Show results of instant queries only     in table. #24508, @ivanahuckova

  - Explore: Fix rendering of react query editors. #24593,     @ivanahuckova

  - Explore: Fixes loading more logs in logs context view.
    #24135, @Estrax

  - Graphite: Fix schema and dedupe strategy in rollup     indicators for Metrictank queries. #24685, @torkelo

  - Graphite: Makes query annotations work again. #24556,     @hugohaggmark

  - Logs: Clicking 'Load more' from context overlay doesn't     expand log row. #24299, @kaydelaney

  - Logs: Fix total bytes process calculation. #24691,     @davkal

  - Org/user/team preferences: Fixes so UI Theme can be set     back to Default. #24628, @AgnesToulet

  - Plugins: Fix manifest validation. #24573, @aknuds1

  - Provisioning: Use proxy as default access mode in     provisioning. #24669, @bergquist

  - Search: Fix select item when pressing enter and Grafana     is served using a sub path. #24634, @tskarhed

  - Search: Save folder expanded state. #24496, @Clarity-89

  - Security: Tag value sanitization fix in OpenTSDB data     source. #24539, @rotemreiss

  - Table: Do not include angular options in options when     switching from angular panel. #24684, @torkelo

  - Table: Fixed persisting column resize for time series     fields. #24505, @torkelo

  - Table: Fixes Cannot read property subRows of null.
    #24578, @hugohaggmark

  - Time picker: Fixed so you can enter a relative range in     the time picker without being converted to absolute     range. #24534, @mckn

  - Transformations: Make transform dropdowns not cropped.
    #24615, @dprokop

  - Transformations: Sort order should be preserved as     entered by user when using the reduce transformation.
    #24494, @hugohaggmark

  - Units: Adds scale symbol for currencies with suffixed     symbol. #24678, @hugohaggmark

  - Variables: Fixes filtering options with more than 1000     entries. #24614, @hugohaggmark

  - Variables: Fixes so Textbox variables read value from     url. #24623, @hugohaggmark

  - Zipkin: Fix error when span contains remoteEndpoint.
    #24524, @aocenas

  - SAML: Switch from email to login for user login     attribute mapping (Enterprise)

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2861 advisory.

    Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for     installation into an on-premise OpenShift Container Platform installation.

    Security Fix(es):

    * kubernetes: YAML parsing vulnerable to Billion Laughs attack, allowing for remote denial of service     (CVE-2019-11253)

    * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

    * npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function     deleteFunctions within index.js (CVE-2020-7660)

    * npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)

    * grafana: XSS annotation popup vulnerability (CVE-2020-12052)

    * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

    * grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2796 advisory.

    Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for     installation into an on-premise OpenShift Container Platform installation.

    Security Fix(es):

    * kubernetes: YAML parsing vulnerable to Billion Laughs attack, allowing for remote denial of service     (CVE-2019-11253)

    * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

    * npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)

    * npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function     deleteFunctions within index.js (CVE-2020-7660)

    * npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)

    * grafana: XSS annotation popup vulnerability (CVE-2020-12052)

    * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

    * grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2676 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2020-2641 advisory.

    [6.3.6-2]
    - fix CVE-2020-13379

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2641 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send     HTTP requests to any URL (CVE-2020-13379)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security fix for CVE-2020-13379

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
180932	Oracle Linux 7 : grafana / kubernetes-cni / kubernetes-cni-plugins / kubernetes / kubernetes / olcne (ELSA-2020-5726)	Nessus	Oracle Linux Local Security Checks	high
149317	RHEL 7 : Red Hat Ceph Storage 3.3 Security and Bug Fix Update (Important) (RHSA-2021:1518)	Nessus	Red Hat Local Security Checks	high
145905	CentOS 8 : grafana (CESA-2020:2641)	Nessus	CentOS Local Security Checks	high
144408	RHEL 7 : web-admin-build (RHSA-2020:5599)	Nessus	Red Hat Local Security Checks	high
139022	openSUSE Security Update : SUSE Manager Client Tools (openSUSE-2020-1105)	Nessus	SuSE Local Security Checks	high
138793	SUSE SLES12 Security Update : SUSE Manager Client Tools (SUSE-SU-2020:1970-1)	Nessus	SuSE Local Security Checks	high
138710	openSUSE Security Update : grafana / grafana-piechart-panel / grafana-status-panel (openSUSE-2020-892)	Nessus	SuSE Local Security Checks	high
138178	RHEL 8 : Red Hat OpenShift Service Mesh 1.0 servicemesh-grafana (RHSA-2020:2861)	Nessus	Red Hat Local Security Checks	high
138031	RHEL 8 : Red Hat OpenShift Service Mesh servicemesh-grafana (RHSA-2020:2796)	Nessus	Red Hat Local Security Checks	high
137829	RHEL 8 : grafana (RHSA-2020:2676)	Nessus	Red Hat Local Security Checks	high
137771	Oracle Linux 8 : grafana (ELSA-2020-2641)	Nessus	Oracle Linux Local Security Checks	high
137708	RHEL 8 : grafana (RHSA-2020:2641)	Nessus	Red Hat Local Security Checks	high
137433	Fedora 31 : grafana (2020-e6e81a03d6)	Nessus	Fedora Local Security Checks	high
137427	Fedora 32 : grafana (2020-a09e5be0be)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2020-13379

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high