CVE-2022-39229

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-39229
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-10-13 23:15:00 UTC
Updated2022-10-19 14:10:00 UTC
DescriptionGrafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.

Risk And Classification

Problem Types: CWE-287

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Grafana Grafana All All All All

References

ReferenceSourceLinkTags
Add test for username/login field conflict · grafana/grafana@5644758 · GitHub MISC github.com
Release 9.1.8 (2022-10-11) · grafana/grafana · GitHub MISC github.com
Using email as a username can block other users from signing in · Advisory · grafana/grafana · GitHub CONFIRM github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160619 Oracle Enterprise Linux Security Update for grafana security and enhancement update (ELSA-2023-2167)
  • 160655 Oracle Enterprise Linux Security Update for grafana (ELSA-2023-2784)
  • 241453 Red Hat Update for grafana (RHSA-2023:2167)
  • 241485 Red Hat Update for grafana (RHSA-2023:2784)
  • 378707 Alibaba Cloud Linux Security Update for grafana (ALINUX3-SA-2023:0075)
  • 690984 Free Berkeley Software Distribution (FreeBSD) Security Update for grafana (909a80ba-6294-11ed-9ca2-6c3be5272acd)
  • 753668 SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2023:0362-1)
  • 941046 AlmaLinux Security Update for grafana (ALSA-2023:2167)
  • 941104 AlmaLinux Security Update for grafana (ALSA-2023:2784)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report