Vulnerability CVE-2023-2801: Information

Description

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-2801
Published: June 6, 2023
Modified: July 6, 2023
Error type identifier: CWE-662

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
grafanasisyphus9.5.5-alt110.2.2-alt1.1ALT-PU-2023-4148-1323937Fixed
grafanap109.5.5-alt110.2.2-alt1.1ALT-PU-2023-4133-1323967Fixed
grafanac10f19.5.5-alt110.2.2-alt1.1ALT-PU-2023-4346-2324663Fixed
grafanac9f29.5.5-alt19.5.5-alt1ALT-PU-2023-4567-3323137Fixed
grafanap119.5.5-alt110.2.2-alt1.1ALT-PU-2023-4148-1323937Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://grafana.com/security/security-advisories/cve-2023-2801/
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20230706-0002/

      1. Configuration 1

        cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
        Start including
        9.5.0
        End excliding
        9.5.3
        cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
        Start including
        9.4.0
        End excliding
        9.4.12
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.2
    Back to top