User enumeration via forget password
Medium
| Advisory ID: | CVE-2022-39307 |
| Published: | 2022-11-08 |
| Product: | Grafana |
| CVSS Score: | 6.7 |
| CVSS Vector: | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L |
| Fixed Versions: | >=9.2.4 >=8.5.15 |
Summary
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the
/api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.