CVE-2023-2801 HIGH

CVE-2023-2801

Vendor Grafana

Product Grafana

Weakness CWE-820

Published June 6, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Key dates

02Disclosure timeline

June 6, 2023 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2801 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/820.html

Related vulnerabilities

Identifiers

CVE CVE-2023-2801

CWE CWE-820

CVSS 7.5 / HIGH

Affected versions

Vendor Grafana

Product Grafana

Affected ≥ 9.4.0 and < 9.4.12

Vendor Grafana

Product Grafana

Affected ≥ 9.5.0 and < 9.5.3

Vendor Grafana

Product Grafana Enterprise

Affected ≥ 9.4.0 and < 9.4.12

Vendor Grafana

Product Grafana Enterprise

Affected ≥ 9.5.0 and < 9.5.3

CVE-2023-2801

01Description

02Disclosure timeline

03References

04Related CVE