First published: Mon May 29 2023(Updated: )
<a href="https://access.redhat.com/security/cve/CVE-2023-2801">CVE-2023-2801</a> Grafana data source proxy race condition If you send an API call to the /ds/query or public dashboard query endpoint (if public dashboards is enabled) that has mixed queries (i.e. 2 or more distinct data sources in one API call), you can crash your Grafana instance. The only feature that uses mixed queries within Grafana right now is public dashboards, but it is also possible to cause this by calling the API directly. Steps to reproduce If public dashboards are enabled, just hit a public dashboard under heavy load. If public dashboards is disabled, the only way you can reproduce this is by hitting the /ds/query endpoint with a mixed query payload under heavy load with a load testing script. Grafana 9.4.0 - Grafana 10.0
Credit: security@grafana.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/grafana | <9.4.12 | 9.4.12 |
redhat/grafana | <9.5.3 | 9.5.3 |
Grafana Labs Grafana OSS and Enterprise | >=9.4.0<9.4.12 | |
Grafana Labs Grafana OSS and Enterprise | >=9.5.0<9.5.3 | |
>=9.4.0<9.4.12 | ||
>=9.5.0<9.5.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-2801 is a vulnerability in Grafana that can cause a crash when using mixed queries in public dashboards.
CVE-2023-2801 affects Grafana versions 9.4.0 to 9.4.12 and 9.5.0 to 9.5.3.
The severity of CVE-2023-2801 is high with a severity value of 5.3.
To fix CVE-2023-2801, upgrade Grafana to a version that is not affected by the vulnerability.
You can find more information about CVE-2023-2801 on the Grafana and NetApp security advisories.