CVE-2022-39307

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

Published: Nov 10, 2022
Updated: May 4, 2025
CVE: CVE-2022-39307
GHSA: GHSA-3p62-42x7-gxg5
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-200
CWE-209

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
grafana / grafana	9.0.0	9.2.4
grafana / grafana	-	8.5.15
github.com/grafana/grafana	9.0.0	9.2.4
github.com/grafana/grafana	-	8.5.15

https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5
https://security.netapp.com/advisory/ntap-20221215-0004
https://security.netapp.com/advisory/ntap-20221215-0004/

Vulnerability Database

289,599

CVE-2022-39307