Grafana query API crash (CVE-2023-2801) - mixed queries before 9.4.12/9.5.3
CVE-2023-2801 Published on June 6, 2023
Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
Vulnerability Analysis
CVE-2023-2801 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Missing Synchronization
The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
Products Associated with CVE-2023-2801
Want to know whenever a new CVE is published for Grafana Labs Grafana? stack.watch will email you.
Affected Versions
Grafana:- Version 9.4.0 and below 9.4.12 is affected.
- Version 9.5.0 and below 9.5.3 is affected.
- Version 9.4.0 and below 9.4.12 is affected.
- Version 9.5.0 and below 9.5.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.