Grafana security release: New Grafana versions with security fixes for CVE-2023-2183 and CVE-2023-2801
Today we are releasing Grafana 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26. These patch releases include medium and high severity security fixes for CVE-2023-2183 and CVE-2023-2801, respectively.
Release 9.5.3, latest release with security patch:
Release 9.4.12, latest release with security patch:
Release 9.3.15, latest release with security patch:
Release 9.2.19, latest release with security patch:
Release 8.5.26, latest release with security patch:
Appropriate patches have been applied to Grafana Cloud, and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Broken access control: viewer can send test alerts (CVE-2023-2183)
Summary
Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.
The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
Impact
Because the API does not check access to this API alert function, it allows users without permission to access the API Alert - Test function. For example, a user who is a Viewer does not have access to this option in the Grafana user panel.
This vulnerability enables malicious users to abuse the functionality by sending multiple alert messages via email, Slack, and other platforms; spamming users; preparing Phishing attacks or blocking SMTP server / IP; or automatically moving all messages to a spam folder or adding them to a black list IP.
Impacted versions
Grafana 9.5 > 9.5.3
Grafana 9.4 > 9.4.12
Grafana 9.3 > 9.3.15
Grafana 9.0 > 9.2.19
Grafana 8.0 > 8.5.26
Solutions and mitigations
To fully address CVE-2023-2183, please upgrade your Grafana instances.
Grafana DS proxy race condition (CVE-2023-2801)
Summary
We have discovered a vulnerability with Grafana’s data source query endpoints that could end up crashing a Grafana instance.
If you have public dashboards (PD) enabled, we are scoring this as a CVSS 7.5 High.
If you have disabled PD, this vulnerability is still a risk, but triggering the issue requires data source read privileges and access to the Grafana API through a developer script.
Impact
If you send an API call to the /ds/query or a public dashboard query endpoint that has mixed queries (i.e., two or more distinct data sources in one API call), you can crash your Grafana instance.
The only feature that uses mixed queries within Grafana right now is public dashboards, but it is also possible to cause this issue by calling the API directly.
Impacted versions
Grafana 9.4.0 > 9.4.12
Grafana 9.5 > 9.5.3
Solutions and mitigations
To fully address CVE-2023-2801, please upgrade your Grafana instances.
You can also block mixed query requests by adding a patch to Grafana 9.4 to disable mixed query concurrent calls. Please note: This is the short-term fix. A long-term fix is in progress.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key.
The key fingerprint is 225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.