About the vulnerability

The Grafana is an open-source platform for observability and monitoring used to manage various tasks. Some of its older versions, which start with 9.2.0 and below 9.2.4, have a race condition in the authentication middleware logic that allows an unauthenticated user to query an administration endpoint under a heavy load. This issue is patched in 9.2.4. Updating to the patched version is the only solution, as there are no known workarounds.

According to the Grafana Security release,

“An internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could result in an HTTP request being assigned another call’s authentication/authorization middleware. Under heavy load, it is possible that a call protected by a privileged middleware receives the middleware of a public query instead. As a result, an unauthenticated user can successfully query protected endpoints. CVSS score for this vulnerability is 9.8 Critical.”

Later, the severity of this vulnerability was reduced to HIGH with an 8.1 CVSS Score.

Impact

Unauthenticated users can query endpoints with malicious intent.

Grafana Labs released a security advisory stating that this vulnerability allows attackers to bypass the authorization process on arbitrary service endpoints.

Remediation

Version 9.2.4 of Grafana was published as a fix.

How PingSafe can help

PingSafe helps you identify vulnerabilities and misconfigurations and enforce proper access controls in your container workloads. PingSafe scans your container images and compute machines and checks for the vulnerable components of your cloud infrastructure with the affected vulnerability.

PingSafe’s cloud security platform enables you to stay on top of new zero-day attacks and improve your security posture across multiple cloud accounts. Sign up for a personalized demo to learn more.