CVE-2022-39229: Grafana when using email as a username can block other users from signing in
On September 7 as a result of an internal security audit we have discovered a security vulnerability in Grafana basic authentication, related to the usage of username and email address.
In Grafana, a user’s username and email address are unique fields, that means no other user can have the same username or email address as another user.
In addition, a user can have an email address as a username and Grafana login allows users to sign in with either username or email address. This creates an unusual behavior, where user_1 can register with one email address and user_2 can register their username as user_1’s email address. As a result, user_1 would be prevented to sign in Grafana, since user_1 password won’t match with users_2 email address.
The CVSS score for this vulnerability is 4.3 Moderate (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).
References
Detect and mitigate CVE-2022-39229 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →