CVE-2022-39229Improper Authentication in Grafana Grafana

CWE-287Improper Authentication7 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 82.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Grafana GrafanaGrafana
Timeline
PublishedOct 13
Latest updateJun 5

Description

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username o

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDgrafana/grafana9.0.09.1.8+1
Gogithub.com/grafana_grafana9.0.09.1.8+1
CVEListV5grafana/grafana>= 8.5.0, < 8.5.14, >= 9.0.0, < 9.1.8+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana2024-06-05
OSV
Grafana when using email as a username can block other users from signing in2024-05-14
GHSA
Grafana when using email as a username can block other users from signing in2024-05-14
CVEList
Grafana users with email as a username can block other users from signing in2022-10-13
OSV
CVE-2022-39229: Grafana is an open source data visualization platform for metrics, logs, and traces2022-10-13

📋Vendor Advisories

1
Red Hat
grafana: using email as a username can block other users from signing in2022-10-14
CVE-2022-39229 — Improper Authentication | cvebase