CVE Vulnerabilities

CVE-2023-2801

Improper Synchronization

Published: Jun 06, 2023 | Modified: Jul 06, 2023
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

Grafana is an open-source platform for monitoring and observability.

Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.

The only feature that uses mixed queries at the moment is public dashboards, but its also possible to cause this by calling the query API directly.

This might enable malicious users to crash Grafana instances through that endpoint.

Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Weakness

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

Affected Software

Name Vendor Start Version End Version
Grafana Grafana 9.4.0 (including) 9.4.12 (excluding)
Grafana Grafana 9.5.0 (including) 9.5.3 (excluding)
Red Hat Ceph Storage 6.1 RedHat ceph-2:17.2.6-167.el9cp *
Red Hat Ceph Storage 6.1 RedHat cephadm-ansible-1:2.18.0-1.el9cp *
Red Hat Ceph Storage 6.1 RedHat rhceph/rhceph-6-dashboard-rhel9:6-82 *
Grafana Ubuntu bionic *
Grafana Ubuntu trusty *
Grafana Ubuntu xenial *

Extended Description

Synchronization refers to a variety of behaviors and mechanisms that allow two or more independently-operating processes or threads to ensure that they operate on shared resources in predictable ways that do not interfere with each other. Some shared resource operations cannot be executed atomically; that is, multiple steps must be guaranteed to execute sequentially, without any interference by other processes. Synchronization mechanisms vary widely, but they may include locking, mutexes, and semaphores. When a multi-step operation on a shared resource cannot be guaranteed to execute independent of interference, then the resulting behavior can be unpredictable. Improper synchronization could lead to data or memory corruption, denial of service, etc.

Potential Mitigations

References