Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

Grot cannot remember your choice unless you click the consent notice at the bottom.

Grafana security release: New Grafana versions with security fixes for CVE-2023-2183 and CVE-2023-2801

Grafana security release: New Grafana versions with security fixes for CVE-2023-2183 and CVE-2023-2801

June 6, 2023 3 min

Today we are releasing Grafana 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26. These patch releases include medium and high severity security fixes for CVE-2023-2183 and CVE-2023-2801, respectively.

Release 9.5.3, latest release with security patch:

Release 9.4.12, latest release with security patch:

Release 9.3.15, latest release with security patch:

Release 9.2.19, latest release with security patch:

Release 8.5.26, latest release with security patch:

Appropriate patches have been applied to Grafana Cloud, and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.

Broken access control: viewer can send test alerts (CVE-2023-2183)

Summary

Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.

The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).

Impact

Because the API does not check access to this API alert function, it allows users without permission to access the API Alert - Test function. For example, a user who is a Viewer does not have access to this option in the Grafana user panel.

This vulnerability enables malicious users to abuse the functionality by sending multiple alert messages via email, Slack, and other platforms; spamming users; preparing Phishing attacks or blocking SMTP server / IP; or automatically moving all messages to a spam folder or adding them to a black list IP.

Impacted versions

Grafana 9.5 > 9.5.3 
Grafana 9.4 > 9.4.12
Grafana 9.3 > 9.3.15
Grafana 9.0 > 9.2.19
Grafana 8.0 > 8.5.26

Solutions and mitigations

To fully address CVE-2023-2183, please upgrade your Grafana instances. 

Grafana DS proxy race condition (CVE-2023-2801)

Summary

We have discovered a vulnerability with Grafana’s data source query endpoints that could end up crashing a Grafana instance. 

If you have public dashboards (PD) enabled, we are scoring this as a CVSS 7.5 High.  

If you have disabled PD, this vulnerability is still a risk, but triggering the issue requires data source read privileges and access to the Grafana API through a developer script.

Impact

If you send an API call to the /ds/query or a public dashboard query endpoint that has mixed queries (i.e., two or more distinct data sources in one API call), you can crash your Grafana instance.

The only feature that uses mixed queries within Grafana right now is public dashboards, but it is also possible to cause this issue by calling the API directly.

Impacted versions

Grafana 9.4.0 > 9.4.12
Grafana 9.5 > 9.5.3

Solutions and mitigations

To fully address CVE-2023-2801, please upgrade your Grafana instances.

You can also block mixed query requests by adding a patch to Grafana 9.4 to disable mixed query concurrent calls. Please note: This is the short-term fix. A long-term fix is in progress.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key.

The key fingerprint is 225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.