Grafana avatar SSRF
Description
The avatar feature in Grafana versions 3.0.1 through 7.0.1 contains a Server-Side Request Forgery (SSRF) vulnerability due to improper access controls. Unauthenticated attackers can exploit this flaw to force the Grafana server to make HTTP requests to arbitrary URLs and return the responses, enabling network reconnaissance and information disclosure. Additionally, malformed URL inputs can trigger denial-of-service conditions through application crashes, and in certain configurations, this vulnerability can be chained to achieve remote code execution.
Remediation
Immediately upgrade Grafana to version 6.7.4, 7.0.2, or later, which contain fixes for this vulnerability. Follow these steps:
1. Backup your Grafana instance including configuration files and database before upgrading
2. Download and install the patched version appropriate for your deployment from the official Grafana releases
3. Restart the Grafana service and verify functionality
4. Review access logs for any suspicious activity related to the /avatar/* endpoint
If immediate upgrading is not possible, implement the following temporary mitigations:
Option 1 - Block Avatar Endpoint: Configure your reverse proxy, load balancer, or web application firewall to block all requests to /avatar/*. Example for Nginx:
location /avatar/ {
deny all;
return 403;
}Option 2 - Restrict Network Access: Limit access to Grafana to trusted IP addresses or networks only, and ensure the Grafana server cannot make outbound requests to sensitive internal resources by implementing egress filtering.
Note that these mitigations only reduce risk and do not fully resolve the vulnerability. Upgrading remains the recommended solution.