If you send an API call to the /ds/query or a public dashboard query endpoint that has mixed queries (i.e., two or more distinct data sources in one API call), you can crash your Grafana instance. If you have disabled PD, this vulnerability is still a risk, but triggering the issue requires data source read privileges and access to the Grafana API through a developer script. If you have public dashboards (PD) enabled, we are scoring this as a CVSS 7.5 High. We have discovered a vulnerability with Grafana’s data source query endpoints that could end up crashing a Grafana instance. Grafana DS proxy race condition ( CVE-2023-2801) Summary To fully address CVE-2023-2183, please upgrade your Grafana instances. Grafana 8.0 > 8.5.26 Solutions and mitigations This vulnerability enables malicious users to abuse the functionality by sending multiple alert messages via email, Slack, and other platforms spamming users preparing Phishing attacks or blocking SMTP server / IP or automatically moving all messages to a spam folder or adding them to a black list IP. For example, a user who is a Viewer does not have access to this option in the Grafana user panel. Impactīecause the API does not check access to this API alert function, it allows users without permission to access the API Alert - Test function. The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N). This option, however, is not available in the user panel UI for the Viewer role. Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. Broken access control: viewer can send test alerts ( CVE-2023-2183) Summary This is applicable to Amazon Managed Grafana and Azure Managed Grafana. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. Release 8.5.26, latest release with security patch:Īppropriate patches have been applied to Grafana Cloud, and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. Release 9.2.19, latest release with security patch:
Release 9.3.15, latest release with security patch: Release 9.4.12, latest release with security patch:
Release 9.5.3, latest release with security patch:
These patch releases include medium and high severity security fixes for CVE-2023-2183 and CVE-2023-2801, respectively.
0 kommentar(er)
