Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-39328

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-08 Nov, 2022 | 00:00
Updated At-23 Apr, 2025 | 16:40
Rejected At-
Credits

Grafana vulnerable to race condition allowing privilege escalation

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:08 Nov, 2022 | 00:00
Updated At:23 Apr, 2025 | 16:40
Rejected At:
▼CVE Numbering Authority (CNA)
Grafana vulnerable to race condition allowing privilege escalation

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

Affected Products
Vendor
Grafana Labsgrafana
Product
grafana
Versions
Affected
  • >= 9.2.0, < 9.2.4
Problem Types
TypeCWE IDDescription
CWECWE-362CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Type: CWE
CWE ID: CWE-362
Description: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
N/A
https://security.netapp.com/advisory/ntap-20221215-0003/
N/A
Hyperlink: https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20221215-0003/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
x_transferred
https://security.netapp.com/advisory/ntap-20221215-0003/
x_transferred
Hyperlink: https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
Resource:
x_transferred
Hyperlink: https://security.netapp.com/advisory/ntap-20221215-0003/
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:08 Nov, 2022 | 23:15
Updated At:16 Feb, 2023 | 03:14

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.18.1HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Grafana Labs
grafana
>>grafana>>Versions from 9.2.0(inclusive) to 9.2.4(exclusive)
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-362Primarysecurity-advisories@github.com
CWE-362Secondarynvd@nist.gov
CWE ID: CWE-362
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-362
Type: Secondary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxchsecurity-advisories@github.com
Vendor Advisory
https://security.netapp.com/advisory/ntap-20221215-0003/security-advisories@github.com
Third Party Advisory
Hyperlink: https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://security.netapp.com/advisory/ntap-20221215-0003/
Source: security-advisories@github.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

158Records found
CVE-2024-49115
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.1||HIGH
EPSS-0.36% / 57.50%
||
7 Day CHG+0.09%
Published-10 Dec, 2024 | 17:49
Updated-13 May, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Remote Desktop Services Remote Code Execution Vulnerability

Windows Remote Desktop Services Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_server_2025windows_server_2022windows_server_2022_23h2windows_server_2019Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows Server 2025Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2022
CWE ID-CWE-416
Use After Free
CWE ID-CWE-591
Sensitive Data Storage in Improperly Locked Memory
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2024-49126
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.1||HIGH
EPSS-0.48% / 64.09%
||
7 Day CHG+0.11%
Published-10 Dec, 2024 | 17:49
Updated-13 May, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_11_23h2windows_server_2008windows_server_2016windows_10_1809windows_server_2012windows_11_22h2windows_server_2025windows_11_24h2windows_10_21h2windows_server_2022_23h2windows_10_22h2windows_10_1507windows_server_2022windows_10_1607windows_server_2019Windows 10 Version 22H2Windows Server 2012Windows 10 Version 1809Windows 11 version 22H3Windows 11 Version 23H2Windows Server 2008 R2 Service Pack 1Windows 10 Version 1607Windows Server 2016Windows Server 2025 (Server Core installation)Windows 11 Version 24H2Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows 10 Version 21H2Windows Server 2022, 23H2 Edition (Server Core installation)Windows 10 Version 1507Windows Server 2022Windows 11 version 22H2Windows Server 2019Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2012 R2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2025Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2008 Service Pack 2Windows Server 2008 Service Pack 2
CWE ID-CWE-416
Use After Free
CWE ID-CWE-591
Sensitive Data Storage in Improperly Locked Memory
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2024-49119
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.1||HIGH
EPSS-0.29% / 51.72%
||
7 Day CHG+0.07%
Published-10 Dec, 2024 | 17:49
Updated-13 May, 2025 | 15:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Remote Desktop Services Remote Code Execution Vulnerability

Windows Remote Desktop Services Remote Code Execution Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2016windows_server_2025windows_server_2022windows_server_2022_23h2windows_server_2019Windows Server 2019Windows Server 2016Windows Server 2025 (Server Core installation)Windows Server 2025Windows Server 2016 (Server Core installation)Windows Server 2019 (Server Core installation)Windows Server 2022, 23H2 Edition (Server Core installation)Windows Server 2022
CWE ID-CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2021-29986
Matching Score-4
Assigner-Mozilla Corporation
ShareView Details
Matching Score-4
Assigner-Mozilla Corporation
CVSS Score-8.1||HIGH
EPSS-0.31% / 53.75%
||
7 Day CHG~0.00%
Published-17 Aug, 2021 | 19:12
Updated-03 Aug, 2024 | 22:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.* This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.

Action-Not Available
Vendor-Mozilla CorporationLinux Kernel Organization, Inc
Product-firefoxthunderbirdlinux_kernelfirefox_esrThunderbirdFirefox ESRFirefox
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2017-5035
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-8.1||HIGH
EPSS-0.43% / 62.01%
||
7 Day CHG~0.00%
Published-24 Apr, 2017 | 23:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Google Chrome prior to 57.0.2987.98 for Windows and Mac had a race condition, which could cause Chrome to display incorrect certificate information for a site.

Action-Not Available
Vendor-n/aDebian GNU/LinuxRed Hat, Inc.Apple Inc.Microsoft CorporationGoogle LLC
Product-chromeenterprise_linux_desktopenterprise_linux_workstationdebian_linuxenterprise_linux_servermacoswindowsGoogle Chrome prior to 57.0.2987.98 for Windows and Mac
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2020-36454
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.28% / 51.07%
||
7 Day CHG~0.00%
Published-08 Aug, 2021 | 05:14
Updated-04 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the parc crate through 2020-11-14 for Rust. LockWeak<T> has an unconditional implementation of Send without trait bounds on T.

Action-Not Available
Vendor-parc_projectn/a
Product-parcn/a
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2020-36435
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.34% / 55.76%
||
7 Day CHG~0.00%
Published-08 Aug, 2021 | 05:19
Updated-04 Aug, 2024 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the ruspiro-singleton crate before 0.4.1 for Rust. In Singleton, Send and Sync do not have bounds checks.

Action-Not Available
Vendor-ruspiro-singleton_projectn/a
Product-ruspiro-singletonn/a
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2020-35882
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-8.1||HIGH
EPSS-0.34% / 55.76%
||
7 Day CHG~0.00%
Published-31 Dec, 2020 | 08:26
Updated-04 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the rocket crate before 0.4.5 for Rust. LocalRequest::clone creates more than one mutable references to the same object, possibly causing a data race.

Action-Not Available
Vendor-rocketn/a
Product-rocketn/a
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found