CVE-2022-39307: Grafana User enumeration via forget password
When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email
URL. When the username or email does not exist, a JSON response contains a “user not found” message.
References
Detect and mitigate CVE-2022-39307 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →