CVE-2022-39229

Published on: Not Yet Published

Last Modified on: 10/19/2022 02:10:00 PM UTC

CVE-2022-39229 - advisory for GHSA-gj7m-853r-289r

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Certain versions of Grafana from Grafana contain the following vulnerability:

Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.

CVE-2022-39229 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
Affected Vendor/Software: grafana - grafana version >= 9.0.0, < 9.1.8
Affected Vendor/Software: grafana - grafana version >= 8.5.0, < 8.5.14

CVSS3 Score: 4.3 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	NONE	LOW

CVE References

Description	Tags ^ⓘ	Link
Add test for username/login field conflict · grafana/[email protected] · GitHub	github.com text/html	MISC github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35
Release 9.1.8 (2022-10-11) · grafana/grafana · GitHub	github.com text/html	MISC github.com/grafana/grafana/releases/tag/v9.1.8
Using email as a username can block other users from signing in · Advisory · grafana/grafana · GitHub	github.com text/html	CONFIRM github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

690984 Free Berkeley Software Distribution (FreeBSD) Security Update for grafana (909a80ba-6294-11ed-9ca2-6c3be5272acd)
753668 SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2023:0362-1)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Grafana	Grafana	All	All	All	All

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@feedpushr	Grafana security releases: New versions with fixes for CVE-2022-39229, CVE-2022-39201, CVE-2022-31130, CVE-2022-311… twitter.com/i/web/status/1…	2022-10-12 17:48:26
@CVEreport	CVE-2022-39229 : #Grafana is an open source data visualization platform for metrics, logs, and traces. Versions pri… twitter.com/i/web/status/1…	2022-10-13 22:27:04
/r/netcve	CVE-2022-39229	2022-10-13 23:38:21