CVE-2022-39307

CVE-2022-39307

Name

CVE-2022-39307

Description

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5
Third Party Advisory	https://security.netapp.com/advisory/ntap-20221215-0004/

Type

URI

CONFIRM

https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221215-0004/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= 9.0.0	< 9.2.4
`cpe:2.3:a:grafana:grafana::::::::`	grafana	>= None	< 8.5.15

CPE URI

Source package

Min version

Max version

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= 9.0.0

< 9.2.4

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

grafana

>= None

< 8.5.15

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
grafana	edge-community	9.1.2-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	9.0.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.5.3-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.6-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.4-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.2-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.3.1-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	8.2.4-r0	Konstantin Kulikov <k.kulikov2@gmail.com>	possibly vulnerable
grafana	edge-community	7.4.5-r0	None	possibly vulnerable
grafana	edge-community	7.0.2-r0	None	possibly vulnerable
grafana	edge-community	6.3.4-r0	None	possibly vulnerable
grafana	3.22-community	9.1.2-r0	None	possibly vulnerable
grafana	3.22-community	9.0.3-r0	None	possibly vulnerable
grafana	3.22-community	8.5.3-r0	None	possibly vulnerable
grafana	3.22-community	8.3.6-r0	None	possibly vulnerable
grafana	3.22-community	8.3.4-r0	None	possibly vulnerable
grafana	3.22-community	8.3.2-r0	None	possibly vulnerable
grafana	3.22-community	8.3.1-r0	None	possibly vulnerable
grafana	3.22-community	8.2.4-r0	None	possibly vulnerable
grafana	3.22-community	7.4.5-r0	None	possibly vulnerable
grafana	3.22-community	7.0.2-r0	None	possibly vulnerable
grafana	3.22-community	6.3.4-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages