Subject: [ASA-201908-21] grafana: denial of service

Arch Linux Security Advisory ASA-201908-21
==========================================

Severity: Medium
Date    : 2019-08-30
CVE-ID  : CVE-2019-15043
Package : grafana
Type    : denial of service
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1034

Summary
=======

The package grafana before version 6.3.4-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 6.3.4-1.

# pacman -Syu "grafana>=6.3.4-1"

The problem has been fixed upstream in version 6.3.4.

Workaround
==========

None.

Description
===========

This vulnerability allows any unauthenticated user/client to access the
Grafana snapshot HTTP API and create a denial of service attack by
posting large amounts of dashboard snapshot payloads to the
/api/snapshotsHTTP API endpoint.

Impact
======

A remote attacker is able to cause a denial of service by sending a
specially crafted request.

References
==========

https://grafana.com/blog/2019/08/29/grafana-5.4.5-and-6.3.4-released-with-important-security-fix/
https://github.com/grafana/grafana/commit/be2e2330f5c1f92082841d7eb13c5583143963a4
https://security.archlinux.org/CVE-2019-15043