CVE-2023-2801 - OpenCVE

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Grafana	Grafana

Configuration 1 [-]

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::

References

Link	Resource
https://grafana.com/security/security-advisories/cve-2023-2801/	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230706-0002/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GRAFANA

Published: 2023-06-06T18:03:32.459Z

Updated: 2023-06-06T18:03:32.459Z

Reserved: 2023-05-18T16:22:13.573Z

Link: CVE-2023-2801

JSON object: View

NVD Information

Status : Modified

Published: 2023-06-06T19:15:11.413

Modified: 2023-07-06T19:15:10.383

Link: CVE-2023-2801

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2801", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2023-05-18T16:22:13.573Z", "datePublished": "2023-06-06T18:03:32.459Z", "dateUpdated": "2023-06-06T18:03:32.459Z"}, "containers": {"cna": {"affected": [{"product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "9.4.12", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThan": "9.5.3", "status": "affected", "version": "9.5.0", "versionType": "semver"}]}, {"product": "Grafana Enterprise", "vendor": "Grafana", "versions": [{"lessThan": "9.4.12", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThan": "9.5.3", "status": "affected", "version": "9.5.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Grafana is an open-source platform for monitoring and observability. </p><p>Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.</p><p>The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.</p><p>This might enable malicious users to crash Grafana instances through that endpoint.</p><p>Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.</p>"}], "value": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.\n\n"}], "impacts": [{"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-820", "description": "CWE-820", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2023-06-06T18:03:32.459Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-2801/"}, {"url": "https://security.netapp.com/advisory/ntap-20230706-0002/"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7E1DC65-AEE9-4296-98A8-B0F8C0794B39", "versionEndExcluding": "9.4.12", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "109E940E-B6B4-4E5A-A580-C58A26CD4392", "versionEndExcluding": "9.5.3", "versionStartIncluding": "9.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.\n\n"}], "id": "CVE-2023-2801", "lastModified": "2023-07-06T19:15:10.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2023-06-06T19:15:11.413", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2023-2801/"}, {"source": "security@grafana.com", "url": "https://security.netapp.com/advisory/ntap-20230706-0002/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-662"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-820"}], "source": "security@grafana.com", "type": "Secondary"}]}