Grafana MSSQL Data Source Plugin Restriction Bypass Leading to Out-of-Memory Denial-of-Service

A logic flaw in the Grafana MSSQL data source plugin allows low-privileged users (Viewers) to bypass API restrictions and cause severe memory exhaustion, leading to a crash of the host container. This vulnerability affects Grafana versions 12.1.0 prior to 12.1.10, 12.2.0 prior to 12.2.8, 12.3.0 prior to 12.3.6, 11.6.0 prior to 11.6.14, and 12.4.0 prior to 12.4.2.

Impact

Exploiting this vulnerability causes a denial-of-service condition by exhausting memory resources, leading to a crash of the host container.

Remediation

Users can upgrade to Grafana versions 12.4.0 through 12.4.2, 11.6.0 through 11.6.14, 12.1.0 through 12.1.10, 12.2.0 through 12.2.8, or 12.3.0 through 12.3.6.