FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Privilege escalation

Affected packages
9.2.0 <= grafana < 9.2.4
9.2.0 <= grafana9 < 9.2.4

Details

VuXML ID db895ed0-6298-11ed-9ca2-6c3be5272acd
Discovery 2022-11-08
Entry 2022-11-12

Grafana Labs reports:

Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. As a result, an unauthenticated user can successfully query protected endpoints.

The CVSS score for this vulnerability is 9.8 Critical

References

CVE Name CVE-2022-39328
URL https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch