rhsa-2021_0083
Vulnerability from csaf_redhat
Published
2021-01-12 15:21
Modified
2024-11-05 23:10
Summary
Red Hat Security Advisory: Red Hat Ceph Storage 4.2 security and bug fix update

Notes

Topic
An update is now available for Red Hat Ceph Storage 4.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The rhceph-4.2 image is based on Red Hat Ceph Storage 4.2 and Red Hat Enterprise Linux. Security Fix(es): * grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): Users are directed to the Red Hat Ceph Storage 4.2 Release Notes for information on the most significant of these changes: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4.2/html /release_notes/ All users of the rhceph-4.2 image are advised to pull this updated image from the Red Hat Ecosystem Catalog.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat Ceph Storage 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The rhceph-4.2 image is based on Red Hat Ceph Storage 4.2 and Red Hat Enterprise Linux.\n\nSecurity Fix(es):\n\n* grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL (CVE-2020-13379)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\nUsers are directed to the Red Hat Ceph Storage 4.2 Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/4.2/html\n/release_notes/\n\nAll users of the rhceph-4.2 image are advised to pull this updated image from the Red Hat Ecosystem Catalog.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2021:0083",
        "url": "https://access.redhat.com/errata/RHSA-2021:0083"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1843640",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843640"
      },
      {
        "category": "external",
        "summary": "1879672",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879672"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_0083.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Ceph Storage 4.2 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-11-05T23:10:51+00:00",
      "generator": {
        "date": "2024-11-05T23:10:51+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2021:0083",
      "initial_release_date": "2021-01-12T15:21:34+00:00",
      "revision_history": [
        {
          "date": "2021-01-12T15:21:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2021-01-12T15:21:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T23:10:51+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Ceph Storage 4.2 Tools",
                "product": {
                  "name": "Red Hat Ceph Storage 4.2 Tools",
                  "product_id": "8Base-RHCEPH-4.2-Tools",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ceph_storage:4::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Ceph Storage"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
                "product": {
                  "name": "rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
                  "product_id": "rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/ansible-runner-rhel8\u0026tag=4.0-32"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x",
                "product": {
                  "name": "rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x",
                  "product_id": "rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-4-rhel8\u0026tag=4-41"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
                "product": {
                  "name": "rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
                  "product_id": "rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/ansible-runner-rhel8\u0026tag=4.0-32"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64",
                "product": {
                  "name": "rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64",
                  "product_id": "rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-4-dashboard-rhel8\u0026tag=4-22"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
                "product": {
                  "name": "rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
                  "product_id": "rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-4-rhel8\u0026tag=4-41"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
                "product": {
                  "name": "rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
                  "product_id": "rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/ansible-runner-rhel8\u0026tag=4.0-32"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
                "product": {
                  "name": "rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
                  "product_id": "rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-4-rhel8\u0026tag=4-41"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64 as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64"
        },
        "product_reference": "rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x"
        },
        "product_reference": "rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le"
        },
        "product_reference": "rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64 as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64"
        },
        "product_reference": "rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le"
        },
        "product_reference": "rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64 as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64"
        },
        "product_reference": "rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x as a component of Red Hat Ceph Storage 4.2 Tools",
          "product_id": "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x"
        },
        "product_reference": "rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-4.2-Tools"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-13379",
      "cwe": {
        "id": "CWE-476",
        "name": "NULL Pointer Dereference"
      },
      "discovery_date": "2020-06-03T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
            "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
            "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1843640"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An SSRF incorrect access control vulnerability was found in Grafana regarding the avatar feature, allowing any unauthenticated user or client to make Grafana send HTTP requests to any URL and then return its result to the user or client. Additionally, the same issue can create a NULL pointer dereference vulnerability. This flaw allows an attacker to gain information about the network that Grafana is running on, or cause a segmentation fault, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In both OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM), the Grafana containers are behind OpenShift OAuth restricting access to the vulnerable path to authenticated users only. However, other pods may still access the vulnerable URL within the cluster. Therefore the impact is moderate for both (OCP and OSSM).\n\nRed Hat Ceph Storage 2 is now in Extended Life Support (ELS) Phase of the support. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Ceph Storage Life Cycle: https://access.redhat.com/support/policy/updates/ceph-storage",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64"
        ],
        "known_not_affected": [
          "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
          "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
          "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
          "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
          "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
          "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-13379"
        },
        {
          "category": "external",
          "summary": "RHBZ#1843640",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843640"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-13379",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-13379"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13379",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13379"
        },
        {
          "category": "external",
          "summary": "https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/",
          "url": "https://grafana.com/blog/2020/06/03/grafana-6.7.4-and-7.0.2-released-with-important-security-fix/"
        },
        {
          "category": "external",
          "summary": "https://www.openwall.com/lists/oss-security/2020/06/09/2/",
          "url": "https://www.openwall.com/lists/oss-security/2020/06/09/2/"
        }
      ],
      "release_date": "2020-06-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2021-01-12T15:21:34+00:00",
          "details": "For details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2021:0083"
        },
        {
          "category": "workaround",
          "details": "This issue can be mitigated by blocking access to the URL path /avatar/*, through a method such as a reverse proxy, load balancer, application firewall etc.",
          "product_ids": [
            "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7a61e55121f0f0a4dc303e38f9740f70fcf81d3edd63a88384e80228bd1ac2fa_amd64",
            "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:7d23f1ce1b59b0902e7ede6e63a49449053d0326723eb6e77d3c054b49ac44cf_s390x",
            "8Base-RHCEPH-4.2-Tools:rhceph/ansible-runner-rhel8@sha256:883246430bdf41eeea8e4df1ffc00f9083950a20c24ea98ab8742d7a90d6dc2b_ppc64le",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:4feb0e6cdd56656741bcb9dc54d7750aa7b9db1063c94b9217255f899f909dae_ppc64le",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:620919a0197437bb623b75fcd7d40a519e6b0d6a1af722fe8731f92e20b60cc2_amd64",
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-rhel8@sha256:da6341a7905300b5e6fec606cfbeabc68d8aeff662bae1174bd1c728d9e4a306_s390x"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHCEPH-4.2-Tools:rhceph/rhceph-4-dashboard-rhel8@sha256:79e33719f20400faae48172305cc358466ae42ffeefc3e414741ef3114318772_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.