CVE-2023-2801Missing Synchronization in Grafana

CWE-820Missing SynchronizationCWE-662Improper Synchronization6 documents5 sources
Severity
5.3MEDIUMNVD
CNA7.5
EPSS
0.9%
top 24.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GrafanaGrafana EnterpriseGithub.com Grafana Grafana
Timeline
PublishedJun 6

Description

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages4 packages

CVEListV5grafana/grafana9.4.09.4.12+1
NVDgrafana/grafana9.4.09.4.12+1
CVEListV5grafana/grafana_enterprise9.4.09.4.12+1
Gogithub.com/grafana_grafana9.5.09.5.3+1

🔴Vulnerability Details

4
OSV
CVE-2023-2801: Grafana is an open-source platform for monitoring and observability2023-06-06
CVEList
CVE-2023-2801: Grafana is an open-source platform for monitoring and observability2023-06-06
OSV
Grafana Missing Synchronization vulnerability2023-06-06
GHSA
Grafana Missing Synchronization vulnerability2023-06-06

📋Vendor Advisories

1
Red Hat
grafana: data source proxy race condition2023-06-06
CVE-2023-2801 — Missing Synchronization in Grafana | cvebase