C-0090 - CVE-2022-39328-grafana-auth-bypass

Framework

AllControls

Severity

Critical

Description of the the issue

An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints. The CVSS score for this vulnerability is 9.8 Critical.

Related resources

Deployment

What does this control test

This control test for vulnerable versions of Grafana (between 9.2 and 9.2.3)

Remediation

Update your Grafana to 9.2.4 or above

Example