CVE-2022-39307: Grafana User enumeration via forget password

May 14, 2024 (updated November 18, 2024)

When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message.

References

github.com/advisories/GHSA-3p62-42x7-gxg5
github.com/grafana/grafana
github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5
nvd.nist.gov/vuln/detail/CVE-2022-39307
security.netapp.com/advisory/ntap-20221215-0004

Code Behaviors & Features

Detect and mitigate CVE-2022-39307 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →