Home > Vulnerability Database > CVE-2022-39307

Mend.io Vulnerability Database

CVE-2022-39307

Good to know:

Date: November 8, 2022

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the "/api/user/password/sent-reset-email" URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

Language: Go

Severity Score

6.7

Related Resources (7)

Url: https://security.netapp.com/advisory/ntap-20221215-0004/

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-39307

Url: https://security.netapp.com/advisory/ntap-20221215-0004

Url: https://github.com/grafana/grafana

Url: https://access.redhat.com/security/cve/CVE-2022-39307

Url: https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5

Url: https://www.mend.io/vulnerability-database/CVE-2022-39307

Severity Score

6.7

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Generation of Error Message Containing Sensitive Information

CWE-209

Top Fix

Upgrade Version

Upgrade to version github.com/grafana/grafana - v8.5.15;github.com/grafana/grafana - v9.2.4

Learn More

CVSS v3.1

Base Score:	6.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-39307

Good to know:

Date: November 8, 2022

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?