Bug 2137913 (CVE-2022-39328) - CVE-2022-39328 grafana: race condition allowing privilege escalation
Summary: CVE-2022-39328 grafana: race condition allowing privilege escalation
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-39328
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2137894
TreeView+ depends on / blocked
 
Reported: 2022-10-26 14:54 UTC by Anten Skrabec
Modified: 2023-09-01 04:16 UTC (History)
46 users (show)

Fixed In Version: grafana 9.2.4 grafana 8.5.15
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in Grafana in the middleware logic that could allow bypassing authentication. This flaw allows an unauthenticated user to successfully query an administration endpoint under a heavy load by using a load testing script hitting specific endpoints.
Clone Of:
Environment:
Last Closed: 2023-03-03 21:47:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Anten Skrabec 2022-10-26 14:54:29 UTC 
A race condition was found in the middleware logic that when exploited the user could bypass the authentication middleware. Using a load testing script hitting specific endpoints, an unauthenticated user could query successfully an administration endpoint under heavy load.

This impacts only 9.2.0 and 9.2.1.
Comment 25 Product Security DevOps Team 2023-03-03 21:47:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-39328
Note You need to log in before you can comment on or make changes to this bug.