CVE-2022-39328: Grafana Race condition allowing privilege escalation

May 14, 2024

Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. As a result, an unauthenticated user can successfully query protected endpoints.

References

github.com/advisories/GHSA-vqc4-mpj8-jxch
github.com/grafana/grafana
github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
nvd.nist.gov/vuln/detail/CVE-2022-39328
security.netapp.com/advisory/ntap-20221215-0003

Code Behaviors & Features

Detect and mitigate CVE-2022-39328 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →