CVE-2022-39328

CRITICAL

Grafana 9.2.0-9.2.3 - Unauthenticated Administration Endpoint Access via Race Condition

Title source: llm

Description

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

References (2)

Core 2

Core References

Vendor Advisory

https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221215-0003/

Scores

CVSS v3 9.8

EPSS 0.0092

EPSS Percentile 55.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-362

Status published

Products (2)

grafana/grafana 9.2.0 - 9.2.4

grafana/grafana 9.2.0 - 9.2.4Go

Published Nov 08, 2022

Tracked Since Feb 18, 2026