CVE-2022-39307

MEDIUM

Grafana < 8.5.15 and 9.0.0-9.2.4 - Unauthenticated Sensitive Information Disclosure via Password Reset Endpoint

Title source: llm

Description

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

References (2)

Core 2

Core References

Vendor Advisory

https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221215-0004/

Scores

CVSS v3 6.7

EPSS 0.0070

EPSS Percentile 48.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-209 CWE-200

Status published

Products (2)

grafana/grafana < 8.5.15

grafana/grafana 9.0.0 - 9.2.4Go

Published Nov 09, 2022

Tracked Since Feb 18, 2026