PT-2022-7306 · Grafana+5 · Grafana+5

Vtorosyan

Published

2022-11-08

Updated

2025-09-29

CVE-2022-39307

CVSS v4.0

7.3

High

Vector

AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 8.5.15 Grafana versions 9.0.0 through 9.2.3

Description Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the "/api/user/password/sent-reset-email" URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk.

Recommendations For Grafana versions prior to 8.5.15, update to version 8.5.15 or later. For Grafana versions 9.0.0 through 9.2.3, update to version 9.2.4 or later. As a temporary workaround, consider restricting access to the /api/user/password/sent-reset-email API endpoint until a patch is available.

Exploit

Fix

Generation of Error Message Containing Sensitive Information

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-209CWE-200

Related Identifiers

ALSA-2023:6420

ALSA-2025_16880

ALT-PU-2022-3295

ALT-PU-2023-1161

ALT-PU-2023-4567

BDU:2024-02616

BIT-GRAFANA-2022-39307

CVE-2022-39307

ECHO-820C-CCBE-62EB

GHSA-3P62-42X7-GXG5

GO-2024-2844

OESA-2025-1186

OESA-2025-1187

OESA-2025-1188

OESA-2025-1189

OPENSUSE-SU-2023_0353-1

OPENSUSE-SU-2023_0362-1

OPENSUSE-SU-2024:12531-1

RHSA-2023:6420

RHSA-2023_6420

SUSE-SU-2023:0352-1

SUSE-SU-2023:0353-1

SUSE-SU-2023:0362-1

SUSE-SU-2024:0191-1

SUSE-SU-2024:0196-1

Affected Products

Alt Linux

Almalinux

Grafana

Red Hat

Red Os

Suse

PT-2022-7306 · Grafana+5 · Grafana+5

CVE-2022-39307

Weakness Enumeration

Related Identifiers

Affected Products

References · 211