Description
A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- Grafana / Grafana OSS8.2.0 – 11.6.14
- Grafana / Grafana OSS11.6.14 – 11.6.14+security-04
- Grafana / Grafana OSS12.0.0 – 12.2.8
- Grafana / Grafana OSS12.2.8 – 12.2.8+security-04
- Grafana / Grafana OSS12.3.0 – 12.3.6
- Grafana / Grafana OSS12.3.6 – 12.3.6+security-04
- Grafana / Grafana OSS12.4.0 – 12.4.3
- Grafana / Grafana OSS12.4.3 – 12.4.3+security-02
- Grafana / Grafana OSS13.0.0 – 13.0.1
- Grafana / Grafana OSS13.0.1 – 13.0.1+security-01