cbcvebase.
CVE-2022-39307
published 2022-11-09

CVE-2022-39307: Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the…

PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.70%
48.3th percentile
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

Affected

5 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 8.5.158.5.15
github.comgrafana_grafana>= 9.0.0 < 9.2.49.2.4
grafanagrafana< 8.5.158.5.15
grafanagrafana
grafanagrafana>= 9.0.0 < 9.2.49.2.4

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_redhat6.7MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.