Precautionary patches for Grafana released following critical go vulnerability CVE-2023-24538
On April 19, Grafana Labs was made aware of a CVSS 9.8 Critical vulnerability in golang. While we have confirmed the presence of vulnerable versions in our services, we do not believe we have exploitable vulnerabilities at this time. Still, we are releasing patches as a precautionary measure.
While the base CVSS score is 9.8 (Critical), we assess Grafana’s exposure in open source, Grafana Enterprise, and Grafana Cloud as CVSS 0.0. (Informational)
We also encourage users and customers to upgrade any go-based, third-party plugins as new versions become available, as a matter of course.
Release 9.5.1, latest patch, also containing security fix:
Release 9.4.9, also containing security fix:
Release 9.3.13, also containing security fix:
Release 9.2.17, also containing security fix:
Release 8.5.24, also containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Cloud Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana.
Summary of CVE-2023-24548
An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.
The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).
Impact
No exploitable impact identified. The base vulnerability permits injection of arbitrary Javascript into go templates.
Impacted versions
All Grafana versions
Solutions and mitigations
There is no mitigation required for any products or OSS projects developed by Grafana Labs; however, you can apply patches to your Grafana instances as a precautionary measure. We also encourage you to update any third-party, go-based plugins as new versions become available.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is 225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.