Information Exposure Affecting grafana package, versions <0:9.2.10-7.el9_3


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL9-GRAFANA-7874704
  • published3 Sept 2024
  • disclosed8 Nov 2022

Introduced: 8 Nov 2022

CVE-2022-39307  (opens in a new tab)
CWE-205  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade RHEL:9 grafana to version 0:9.2.10-7.el9_3 or higher.
This issue was patched in RHSA-2023:6420.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grafana package and not the grafana package as distributed by RHEL. See How to fix? for RHEL:9 relevant fixed versions and status.

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

CVSS Scores

version 3.1