Today we are releasing Grafana 9.5.1, 9.5.0, 9.4.9, 9.3.13, 9.2.17 and 8.5.24. Alongside other bug fixes, these patch releases include high and medium severity security fixes for CVE-2023-28119 and CVE-2023-1387.
Release 9.5.1, latest patch, also containing security fix:
Release 9.5.0, also containing security fixes:
Release 9.4.9, also containing security fixes:
Release 9.3.13, also containing security fixes:
Release 9.2.17, also containing security fixes:
Release 8.5.24, also containing security fix only for CVE-2023-28119 :
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Exposure of sensitive information to an unauthorized actor (CVE-2023-1387)
When setting up Grafana, there is an option to enable JWT authentication. Enabling this will allow users to authenticate towards the Grafana instance with a special header (default
In Grafana, there is an additional way to authenticate using JWT called URL login where the token is passed as a query parameter.
When using this option, a JWT token is passed to the data source as a header, which leads to exposure of sensitive information to an unauthorized party.
The CVSS score for this vulnerability is 4.2 Medium
Despite the fact that we state the risk of this in the documentation and it requires that an attacker has control over the data source, the JWT token can still be leaked to a data source when the
GF_AUTH_JWT_URL_LOGIN is set to
All installations for Grafana versions >= 9.1.0.
Grafana Cloud is not impacted.
Solutions and mitigations
To fully address CVE-2023-1387, please upgrade your Grafana instances.
Despite the fact that Grafana Cloud is not impacted, appropriate patches have been applied to Grafana Cloud as a precautionary measure.
Denial of service via deflate decompression bomb when using SAML (CVE-2023-28119)
Grafana is using crewjam/saml library for SAML integration. On March 23, an advisory and relevant fix was published in the upstream library, which described a vulnerability allowing denial of service attack.
The CVSS score for this vulnerability is 7.5 High
The use of flate.NewReader in crewjam/saml does not limit the size of the input. The user could pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process.
In Grafana Enterprise, SAML single logout is using the aforementioned functions; therefore, it’s impacted by the vulnerability.
All installations for Grafana Enterprise >= 7.3.0-beta1.
Only Grafana Enterprise instances where SAML with Single Logout is used are vulnerable. Potential DoS attacks can cause downtime and other side effects depending on the use cases.
Solutions and mitigations
To fully address CVE-2023-28119, please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.
As an alternative mitigation, disabling single logout in SAML or not using the SAML authentication entirely would mitigate the vulnerability.
Reporting security issues
If you think you have found a security vulnerability, please send a report to firstname.lastname@example.org. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.