Headline
GHSA-x2w4-c67p-g44j: Grafana Missing Synchronization vulnerability
Grafana is an open-source platform for monitoring and observability.
Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.
The only feature that uses mixed queries at the moment is public dashboards, but it’s also possible to cause this by calling the query API directly.
This might enable malicious users to crash Grafana instances through that endpoint.
Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-2801
Grafana Missing Synchronization vulnerability
High severity GitHub Reviewed Published Jun 6, 2023 to the GitHub Advisory Database • Updated Jun 7, 2023
Package
gomod github.com/grafana/grafana (Go)
Affected versions
< 9.4.12
>= 9.5.0, < 9.5.3
Patched versions
9.4.12
9.5.3
Grafana is an open-source platform for monitoring and observability.
Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.
The only feature that uses mixed queries at the moment is public dashboards, but it’s also possible to cause this by calling the query API directly.
This might enable malicious users to crash Grafana instances through that endpoint.
Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-2801
- https://grafana.com/security/security-advisories/cve-2023-2801/
Published to the GitHub Advisory Database
Jun 6, 2023
Related news
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.