[ASA-201908-21] grafana: denial of service

Remi Gacogne rgacogne at archlinux.org
Wed Sep 4 13:43:39 UTC 2019


Arch Linux Security Advisory ASA-201908-21
==========================================

Severity: Medium
Date    : 2019-08-30
CVE-ID  : CVE-2019-15043
Package : grafana
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1034

Summary
=======

The package grafana before version 6.3.4-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 6.3.4-1.

# pacman -Syu "grafana>=6.3.4-1"

The problem has been fixed upstream in version 6.3.4.

Workaround
==========

None.

Description
===========

This vulnerability allows any unauthenticated user/client to access the
Grafana snapshot HTTP API and create a denial of service attack by
posting large amounts of dashboard snapshot payloads to the
/api/snapshotsHTTP API endpoint.

Impact
======

A remote attacker is able to cause a denial of service by sending a
specially crafted request.

References
==========

https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4
https://security.archlinux.org/CVE-2019-15043

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20190904/a43e189e/attachment.sig>


More information about the arch-security mailing list