Information Exposure Affecting grafana package, versions <0:9.2.10-7.el9_3


Severity

Recommended
0.0
medium
0
10

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.7% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE9-GRAFANA-6064563
  • published17 Nov 2023
  • disclosed9 Nov 2022

Introduced: 9 Nov 2022

CVE-2022-39307  (opens in a new tab)
CWE-209  (opens in a new tab)

How to fix?

Upgrade Oracle:9 grafana to version 0:9.2.10-7.el9_3 or higher.
This issue was patched in ELSA-2023-6420.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grafana package and not the grafana package as distributed by Oracle. See How to fix? for Oracle:9 relevant fixed versions and status.

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

CVSS Base Scores

version 3.1