CVE-2022-39307

Published: Nov 9, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

Affected (2)

Products: Grafana: Grafana

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Grafana Grafana	Before 8.5.15
Grafana Grafana	From 9.0.0 to 9.2.4

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (4)

https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5

Source: security-advisories@github.com

Vendor Advisory

https://security.netapp.com/advisory/ntap-20221215-0004/

Source: security-advisories@github.com

Third Party Advisory

https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.netapp.com/advisory/ntap-20221215-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.