CVE-2023-2801
📋 TL;DR
This vulnerability in Grafana allows attackers to crash instances by exploiting mixed queries in public dashboards or directly through the query API. It affects Grafana instances with public dashboards enabled or accessible query endpoints. The crash leads to denial of service, disrupting monitoring and observability functions.
💻 Affected Systems
- Grafana
📦 What is this software?
Grafana by Grafana
Grafana by Grafana
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Grafana, disrupting monitoring, alerting, and observability for dependent systems, potentially causing cascading failures in infrastructure management.
Likely Case
Temporary denial of service affecting Grafana dashboards and query capabilities, requiring instance restart and causing monitoring gaps.
If Mitigated
Minimal impact if public dashboards are disabled and query API access is restricted; isolated to authenticated users with query permissions.
🎯 Exploit Status
Exploitation requires sending crafted mixed queries; no authentication needed if public dashboards are enabled or API is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.12 or 9.5.3
Vendor Advisory: https://grafana.com/security/security-advisories/cve-2023-2801/
Restart Required: Yes
Instructions:
1. Backup Grafana configuration and data. 2. Upgrade to Grafana 9.4.12 or 9.5.3 using package manager (e.g., apt-get upgrade grafana on Linux). 3. Restart Grafana service (e.g., systemctl restart grafana-server). 4. Verify version and functionality.
🔧 Temporary Workarounds
Disable Public Dashboards
allPrevents unauthenticated access to mixed queries via public dashboards.
Set [security] allow_embedding = false in grafana.ini and restart Grafana
Restrict Query API Access
allLimit access to the query API using network controls or authentication.
Configure firewall rules to block external access to /api/ds/query endpoint
Enable authentication requirements for API calls
🧯 If You Can't Patch
- Disable public dashboards and restrict query API to trusted networks only.
- Implement rate limiting and input validation on query endpoints to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check Grafana version; if below 9.4.12 or 9.5.3 and public dashboards are enabled or query API is exposed, assume vulnerable.Check Version:
grafana-server -v or check web interface at /api/healthVerify Fix Applied:
Confirm Grafana version is 9.4.12 or 9.5.3 or higher using version check command, and test public dashboard or query API functionality.📡 Detection & Monitoring
Log Indicators:
- Grafana crash logs or service restarts
- High frequency of queries to /api/ds/query endpoint
- Error messages related to mixed queries or data source failures
Network Indicators:
- Spike in traffic to Grafana query API from untrusted sources
- Unusual payloads in HTTP POST requests to query endpoints
SIEM Query:
source="grafana.logs" AND ("crash" OR "panic" OR "mixed query" OR "/api/ds/query" AND status=500)