CVE-2022-39307

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

History

15 Dec 2022, 19:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20221215-0004/ -
CWE NVD-CWE-noinfo CWE-200

11 Nov 2022, 00:58

Type Values Removed Values Added
References (CONFIRM) https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 - (CONFIRM) https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 - Patch, Third Party Advisory
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
First Time Grafana
Grafana grafana
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3

10 Nov 2022, 00:33

Type Values Removed Values Added
New CVE

Information

Published : 2022-11-09 23:15

Updated : 2022-12-15 19:15


NVD link : CVE-2022-39307

Mitre link : CVE-2022-39307


JSON object : View

Products Affected

grafana

  • grafana
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor