CVE-2022-39229: Grafana users with email as a username can block other users from signing in
First published: Fri Sep 30 2022(Updated: )
A flaw was found in the Grafana web application. When a user logs into the system, either the username or email address can be used. However, the login system allows both a username and connected email to be registered, which could allow an attacker to prevent a user which has an associated email address access.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/grafana | <0:7.5.15-4.el8 | 0:7.5.15-4.el8 |
| redhat/grafana | <0:9.0.9-2.el9 | 0:9.0.9-2.el9 |
| Grafana Grafana | <8.5.14 | |
| Grafana Grafana | >=9.0.0<9.1.8 | |
| go/github.com/grafana/grafana | >=9.0.0<9.1.8 | 9.1.8 |
| go/github.com/grafana/grafana | <8.5.14 | 8.5.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-39229 https://nvd.nist.gov/vuln/detail/CVE-2022-39229
- https://bugzilla.redhat.com/show_bug.cgi?id=2131149
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:2784
- https://access.redhat.com/errata/RHSA-2023:2167
- https://access.redhat.com/security/cve/cve-2022-39229
- https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2134701
- https://nvd.nist.gov/vuln/detail/CVE-2022-39229
- https://github.com/advisories/GHSA-gj7m-853r-289r (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-39229?
CVE-2022-39229 is a vulnerability found in the Grafana web application that allows one user to block another user's login attempt by registering someone else's email address as a username.
Which versions of Grafana are affected by CVE-2022-39229?
Versions prior to 9.1.8 and 8.5.14 of Grafana are affected by CVE-2022-39229.
What is the severity of CVE-2022-39229?
CVE-2022-39229 has a severity rating of medium (4) according to the National Vulnerability Database.
How can I fix CVE-2022-39229?
To fix CVE-2022-39229, users should update Grafana to version 9.1.8 or 8.5.14.
Where can I find more information about CVE-2022-39229?
More information about CVE-2022-39229 can be found at the following references: [CVE Details](https://www.cve.org/CVERecord?id=CVE-2022-39229), [National Vulnerability Database](https://nvd.nist.gov/vuln/detail/CVE-2022-39229), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2131149), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2023:2784)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-39229
- agent/remedy
- agent/weakness
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gj7m-853r-289r
- agent/software-canonical-lookup
- agent/references
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/redhat
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/9.0.0
- package-manager/go