CVE-2022-39328
published 2022-11-08CVE-2022-39328: Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the…
PriorityP346high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.92%
55.9th percentile
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 9.2.0 < 9.2.4 | 9.2.4 |
| grafana | grafana | — | — |
| grafana | grafana | >= 9.2.0 < 9.2.4 | 9.2.4 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Race condition allowing privilege escalation in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-39328 Grafana Race condition allowing privilege escalation in github.com/grafana/grafana
Grafana Race condition allowing privilege escalation in github.com/grafana/grafana
Grafana Race condition allowing privilege escalation in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v9.2.0 before v9.2.4.
OSV
Grafana Race condition allowing privilege escalation
osv·2024-05-14·CVSS 8.1
CVE-2022-39328 [HIGH] Grafana Race condition allowing privilege escalation
Grafana Race condition allowing privilege escalation
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328.
Release 9.2.4, latest patch, also containing security fix:
- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.
## Privilege escalation
### Summary
Internal security audit identifie
GHSA
Grafana Race condition allowing privilege escalation
ghsa·2024-05-14·CVSS 8.1
CVE-2022-39328 [HIGH] CWE-362 Grafana Race condition allowing privilege escalation
Grafana Race condition allowing privilege escalation
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328.
Release 9.2.4, latest patch, also containing security fix:
- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.
## Privilege escalation
### Summary
Internal security audit identifie
OSV
CVE-2022-39328: Grafana is an open-source platform for monitoring and observability
osv·2022-11-08·CVSS 8.1
CVE-2022-39328 [HIGH] CVE-2022-39328: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.
Red Hat
grafana: race condition allowing privilege escalation
vendor_redhat·2022-11-08·CVSS 9.8
CVE-2022-39328 [CRITICAL] CWE-362 grafana: race condition allowing privilege escalation
grafana: race condition allowing privilege escalation
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.
A race condition was found in Grafana in the middleware logic that could allow bypassing authentication. This flaw allows an unauthenticated user to successfully query an administration endpoint under a heavy load by using a load testing script hitting specific endpoints.
Package: openshift-logging/logging-loki-rhel9 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: openshift-loggin
No detection rules found.
No public exploits indexed.
2022-11-08
Published