Описание
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent functions, leading to a continuous increase in memory usage. Over time, this resource exhaustion can cause Grafana to crash, resulting in a Denial of Service (DoS).
Отчет
This IMPORTANT denial of service vulnerability in Grafana allows an unauthenticated attacker to exhaust system resources. By sending sustained requests to the /avatar/:hash endpoint, goroutines leak due to timed-out Gravatar image refreshes, leading to memory exhaustion and potential Grafana service crashes. This affects Grafana instances shipped with Red Hat Ceph Storage, Red Hat Enterprise Linux, and Red Hat In-Vehicle OS.
Меры по смягчению последствий
To mitigate this issue, disable Gravatar support in the Grafana configuration. Edit the grafana.ini file and set allow_gravatar = false under the [users] section. After modifying the configuration, restart the Grafana service for the changes to take effect. This action will prevent user avatars from being displayed.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 7 | rhceph/grafana-rhel9 | Not affected | ||
| Red Hat Ceph Storage 8 | rhceph/grafana-rhel9 | Not affected | ||
| Red Hat Enterprise Linux 10 | grafana | Not affected | ||
| Red Hat Enterprise Linux 8 | grafana | Not affected | ||
| Red Hat Enterprise Linux 9 | grafana | Not affected |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Every uncached /avatar/:hash request spawns a goroutine that refreshes ...
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3