CVE-2023-2801 Grafana data source proxy race condition If you send an API call to the /ds/query or public dashboard query endpoint (if public dashboards is enabled) that has mixed queries (i.e. 2 or more distinct data sources in one API call), you can crash your Grafana instance. The only feature that uses mixed queries within Grafana right now is public dashboards, but it is also possible to cause this by calling the API directly. Steps to reproduce If public dashboards are enabled, just hit a public dashboard under heavy load. If public dashboards is disabled, the only way you can reproduce this is by hitting the /ds/query endpoint with a mixed query payload under heavy load with a load testing script. Grafana 9.4.0 - Grafana 10.0
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2214617]
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:7740 https://access.redhat.com/errata/RHSA-2023:7740
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:7741 https://access.redhat.com/errata/RHSA-2023:7741