Grafana 5.4.5 and 6.3.4 Security Update

We received a security report to security@grafana.com on August 12, 2019, about a vulnerability in Grafana involving incorrect access to the HTTP API. It was later identified as affecting Grafana versions from 2.0.0 to 6.3.3. CVE-2019-15043 has been reserved for this vulnerability.

This vulnerability allows a user/client to access parts of the Grafana HTTP API without being authenticated. This makes it possible to run a denial of service attack against the server running Grafana.

Affected versions

Grafana releases 2.0.0 through 6.3.3 are affected by this vulnerability.

Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers have been provided with updated binaries.

Conclusion

If you run a Grafana instance between version 2.0.0 and 6.3.3, please upgrade to Grafana 5.4.5 or 6.3.4 as soon as possible.