CVE-2022-39328

CRITICAL9.8EPSS 4.3%

Grafana vulnerable to race condition allowing privilege escalation

發布日:2024/5/14修改日:2025/5/20

描述

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

受影響套件(3)

Bitnami/grafana>= 9.2.0, < 9.2.4
Go/github.com/grafana/grafana>= 9.2.0, < 9.2.4
Go/github.com/grafana/grafanafrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39328
PATCHhttps://github.com/grafana/grafana
WEBhttps://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
WEBhttps://security.netapp.com/advisory/ntap-20221215-0003
WEBhttps://security.netapp.com/advisory/ntap-20221215-0003/