CVE-2023-2801

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://grafana.com/security/security-advisories/cve-2023-2801/	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230706-0002/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::

History

No history.

Information

Published : 2023-06-06 19:15

Updated : 2023-07-06 19:15

NVD link : CVE-2023-2801

Mitre link : CVE-2023-2801

CVE.ORG link : CVE-2023-2801

JSON object : View

Products Affected

grafana

grafana

CWE

CWE-662

Improper Synchronization

CWE-820

Missing Synchronization

{"id": "CVE-2023-2801", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "security@grafana.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-06-06T19:15:11.413", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-2801/", "tags": ["Vendor Advisory"], "source": "security@grafana.com"}, {"url": "https://security.netapp.com/advisory/ntap-20230706-0002/", "source": "security@grafana.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-662"}]}, {"type": "Secondary", "source": "security@grafana.com", "description": [{"lang": "en", "value": "CWE-820"}]}], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.\n\n"}], "lastModified": "2023-07-06T19:15:10.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7E1DC65-AEE9-4296-98A8-B0F8C0794B39", "versionEndExcluding": "9.4.12", "versionStartIncluding": "9.4.0"}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "109E940E-B6B4-4E5A-A580-C58A26CD4392", "versionEndExcluding": "9.5.3", "versionStartIncluding": "9.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@grafana.com"}