Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-30633
CVE-2022-30633:
Grafana vulnerability analysis and mitigation
Overview
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag (NVD, Go Vuln).
Technical details
The vulnerability is tracked as CVE-2022-30633 with a CVSS v3.1 Base Score of 7.5 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-674 (Uncontrolled Recursion) and affects the encoding/xml package in Go versions before 1.17.12 and from 1.18.0 to versions before 1.18.4 (NVD).
Impact
When exploited, this vulnerability can cause a denial of service through application panic due to stack exhaustion. The attack can be triggered when unmarshalling XML documents into Go structs that contain nested fields using the 'any' field tag (Go Announce).
Mitigation and workarounds
The issue has been fixed in Go versions 1.17.12 and 1.18.4. Users are advised to upgrade to these or later versions. The fix implements limits on the depth of nesting in unmarshal operations to prevent stack exhaustion (Go Commit).
Additional resources
Source: This report was generated using AI
Related Grafana vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management