Miggo Logo
Miggo Vulnerability Database
CVE-2023-2801

CVE-2023-2801:
Grafana Missing Synchronization vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-2801
GHSA ID
GHSA-x2w4-c67p-g44j
EPSS Score
0.68104%
CWE
CWE-662
Published
6/6/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago< 9.4.129.4.12
github.com/grafana/grafanago>= 9.5.0, < 9.5.39.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper synchronization in mixed query handling. The advisory explicitly references a 'ds proxy race condition' and public dashboard query execution as attack vectors. The first function is core to data source proxying and would require synchronization when managing concurrent requests. The second function handles public dashboard queries where mixed data source interactions occur. Both align with CWE-820's missing synchronization pattern and the described crash scenario. Confidence is high for the proxy function due to direct correlation with the advisory's technical details, and medium for the public dashboard function due to its role in mixed query execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r***n* is *n op*n-sour** pl*t*orm *or monitorin* *n* o*s*rv**ility. Usin* pu*li* **s**o*r*s us*rs **n qu*ry multipl* *istin*t **t* sour**s usin* mix** qu*ri*s. *ow*v*r su** qu*ry **s * possi*ility o* *r*s*in* * *r***n* inst*n**. T** only ***tur*

Reasoning

T** vuln*r**ility st*ms *rom improp*r syn**roniz*tion in mix** qu*ry **n*lin*. T** **visory *xpli*itly r***r*n**s * '*s proxy r*** *on*ition' *n* pu*li* **s**o*r* qu*ry *x**ution *s *tt**k v**tors. T** *irst `*un*tion` is *or* to **t* sour** proxyin*