An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints. The CVSS score for this vulnerability is 9.8 Critical.
This control test for vulnerable versions of Grafana (between 9.2 and 9.2.3)
Update your Grafana to 9.2.4 or above
Updated 15 days ago