CVE-2022-39307: Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
First published: Wed Oct 26 2022(Updated: )
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | <8.5.15 | |
| Grafana Grafana | >=9.0.0<9.2.4 | |
| redhat/grafana 9.2.4 grafana | <8.5.15 | 8.5.15 |
| go/github.com/grafana/grafana | <8.5.15 | 8.5.15 |
| go/github.com/grafana/grafana | >=9.0.0<9.2.4 | 9.2.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5
- https://security.netapp.com/advisory/ntap-20221215-0004/
- http://tracker.ceph.com/issues/48
- https://pkg.go.dev/github.com/grafana/grafana
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141185
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:6420
- https://bugzilla.redhat.com/show_bug.cgi?id=2138015
- https://nvd.nist.gov/vuln/detail/CVE-2022-39307
- https://github.com/advisories/GHSA-3p62-42x7-gxg5 (Advisory)
- https://security.netapp.com/advisory/ntap-20221215-0004
Frequently Asked Questions
What is CVE-2022-39307?
CVE-2022-39307 is a vulnerability in Grafana, an open-source platform for monitoring and observability.
What is the severity of CVE-2022-39307?
The severity of CVE-2022-39307 is medium, with a severity value of 5.3.
How does CVE-2022-39307 affect Grafana?
CVE-2022-39307 affects Grafana versions up to (but not including) 8.5.15, as well as versions between 9.0.0 and 9.2.4.
What is the impact of CVE-2022-39307?
The impact of CVE-2022-39307 is the leakage of a 'user not found' message when using the forget password feature, which can disclose information about valid usernames or email addresses.
How can I fix CVE-2022-39307?
To fix CVE-2022-39307, update Grafana to version 8.5.15 or later, or version 9.2.5 or later if using versions between 9.0.0 and 9.2.4.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/softwarecombine
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3p62-42x7-gxg5
- alias/CVE-2022-39307
- agent/references
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/9.0.0
- package-manager/go
- package-manager/redhat