Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2022-39328
Summary
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 prior to 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-362 - Race Condition
A race condition occurs in a shared memory program when two threads/processes access the same shared memory data, and at least one thread executes a write operation. This vulnerability manipulates the time to check vs. time to use (TOC/TOU) gap between the threads in the critical section to cause disorientation in the shared data. The impact can vary from compromising the confidentiality of the system to causing the system to crash or to execute arbitrary code.
Advisory Timeline
- Published