CVE-2022-39307
Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Grafana es una plataforma de código abierto para monitorización y observabilidad. Cuando se utiliza la opción de olvidar contraseña en la página de inicio de sesión, se realiza una solicitud POST a la URL `/api/user/password/sent-reset-email`. Cuando el nombre de usuario o el correo electrónico no existe, una respuesta JSON contiene un mensaje "usuario no encontrado". Esto filtra información a usuarios no autenticados e introduce un riesgo de seguridad. Este problema se solucionó en 9.2.4 y se actualizó a 8.5.15. No se conocen workarounds.
An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-09-02 CVE Reserved
- 2022-11-09 CVE Published
- 2024-04-21 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20221215-0004 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 | 2023-07-14 | |
https://access.redhat.com/security/cve/CVE-2022-39307 | 2023-11-07 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2138015 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | < 8.5.15 Search vendor "Grafana" for product "Grafana" and version " < 8.5.15" | - |
Affected
| ||||||
Grafana Search vendor "Grafana" | Grafana Search vendor "Grafana" for product "Grafana" | >= 9.0.0 < 9.2.4 Search vendor "Grafana" for product "Grafana" and version " >= 9.0.0 < 9.2.4" | - |
Affected
|