PT-2022-7308 · Grafana+6 · Grafana+6

Published

2022-10-13

·

Updated

2025-09-29

·

CVE-2022-39229

CVSS v4.0

5.1

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Grafana versions prior to 9.1.8 and 8.5.14
Description The issue is related to the registration of someone else's email address as a username, allowing one user to block another user's login attempt. A Grafana user's username and email address are unique fields. The login system allows users to log in with either username or email address, creating unusual behavior where one user can register with an email address and another user can register their username as the first user's email address, preventing the first user from logging in.
Recommendations For versions prior to 9.1.8, update to version 9.1.8 or later. For versions prior to 8.5.14, update to version 8.5.14 or later. At the moment, there are no workarounds for this issue.

Exploit

Fix

DoS

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALSA-2023:2167
ALSA-2023:2784
ALSA-2023_2784
ALSA-2025_16880
ALT-PU-2022-3295
ALT-PU-2023-1161
ALT-PU-2023-4567
BDU:2024-02618
BIT-GRAFANA-2022-39229
CESA-2023_2784
CVE-2022-39229
ECHO-C528-9209-BF9C
GHSA-GJ7M-853R-289R
GO-2024-2848
OESA-2024-2260
OPENSUSE-SU-2023_0353-1
OPENSUSE-SU-2023_0362-1
OPENSUSE-SU-2024:12508-1
RHSA-2023:2167
RHSA-2023:2784
RHSA-2023_2167
RHSA-2023_2784
SUSE-SU-2023:0352-1
SUSE-SU-2023:0353-1
SUSE-SU-2023:0362-1
SUSE-SU-2024:0191-1
SUSE-SU-2024:0196-1

Affected Products

Alt Linux
Almalinux
Centos
Grafana
Red Hat
Red Os
Suse