CVE-2022-39328: Unauthorized access to arbitrary endpoints in Grafana codebase

Grafana Labs published a security advisory for a new critical vulnerability in its open-source product. The vulnerability, marked as CVE-2022-39328, enables attackers to bypass authorization on arbitrary service endpoints.

A fix is already out. To get it, it’s essential to update vulnerable versions 9.2.x to  9.2.4. 

According to the Grafana labs release:

“Summary: An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned the authentication/authorization middleware of another call. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints. The CVSS score for this vulnerability is 9.8 Critical.

Impact: Unauthenticated users can query arbitrary endpoints with malicious intent.”

Grafana released a fix: version 9.2.4.

Team Kubescape has developed a dedicated control – C-0090 – in the ARMOBest framework. It can verify whether your system has vulnerable Grafana versions that might be exploited by this CVE.

Run the control now and check your system:

>kubescape scan control C-0090

To stay up to date, make sure to subscribe to our blog.