Publication date: February 10, 2022
Description
Under some circumstances, all users, including users without the admin role or CANCELQUERY option, are able to cancel any other users' sessions on the Sessions page of the DB Console on CockroachDB v20.2, v21.1, and v21.2.
This issue is fixed in v20.2.19, v21.1.14, and v21.2.5.
Statement
This issue is resolved in CockroachDB by #75814. The fix has been applied to maintenance versions v20.2.19, v21.1.14, and v21.2.5 of CockroachDB.
This public issue is tracked as #75758.
Mitigation
Users of CockroachDB are encouraged to upgrade to a maintenance version with the fix applied: v20.2.19, v21.1.14, or v21.2.5.
Impact
All deployments up to v20.2.18, v21.1.13, and v21.2.4 are affected.
Users without the appropriate permissions may cancel any other users' sessions from the DB Console.
Questions about any technical alert can be directed to our support team.
Was this helpful?
