CVE-2022-39328 — Race Condition in Grafana Grafana

CWE-362 — Race Condition9 documents6 sources

Severity

8.1HIGHNVD

CNA9.8

EPSS

3.8%

top 11.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedNov 8

Latest updateJun 5

Description

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDgrafana/grafana9.2.0 — 9.2.4

▶Gogithub.com/grafana_grafana9.2.0 — 9.2.4

▶CVEListV5grafana/grafana>= 9.2.0, < 9.2.4

🔴Vulnerability Details

OSV

Grafana Race condition allowing privilege escalation in github.com/grafana/grafana↗2024-06-05

▶

OSV

Grafana Race condition allowing privilege escalation↗2024-05-14

▶

GHSA

Grafana Race condition allowing privilege escalation↗2024-05-14

▶

OSV

CVE-2022-39328: Grafana is an open-source platform for monitoring and observability↗2022-11-08

▶

CVEList

Grafana vulnerable to race condition allowing privilege escalation↗2022-11-08

▶

📋Vendor Advisories

Red Hat

grafana: race condition allowing privilege escalation↗2022-11-08

▶

🕵️Threat Intelligence

Sentinelone

CVE-2022–39328: Grafana Releases New Versions for Recent Vulnerability↗2022-11-15

▶