Description
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access token or authentication is required to exploit this vulnerability.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- Grafana / Grafana Enterprise0 – 11.6.14
- Grafana / Grafana Enterprise0 – 12.2.8
- Grafana / Grafana Enterprise0 – 12.3.6
- Grafana / Grafana Enterprise0 – 12.4.3
- Grafana / Grafana Enterprise0 – 13.0.1
- Grafana / Grafana OSS11.6.0 – 11.6.14
- Grafana / Grafana OSS12.2.0 – 12.2.8
- Grafana / Grafana OSS12.3.0 – 12.3.6
- Grafana / Grafana OSS12.4.0 – 12.4.3
- Grafana / Grafana OSS13.0.0 – 13.0.1