Cyber Resilience

CVE-2022-39307

Medium

Published: 09 November 2022

Published
09 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
EPSS Score 0.0022 44.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-39307 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Grafana Grafana. Its CVSS base score is 6.7 (Medium).

Operationally, ranked at the 44.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a…

more

“user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

grafana
grafana
≤ 8.5.15 · 9.0.0 — 9.2.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-209

Monitoring directly detects unauthorized disclosure of sensitive information, enabling response to exposures.

addresses: CWE-200 CWE-209

Obscuring authentication feedback prevents exposure of sensitive information such as valid usernames or failure reasons to unauthorized actors.

addresses: CWE-200 CWE-209

Concealment techniques directly prevent real sensitive data from being exposed to adversaries.

addresses: CWE-200 CWE-209

Restricts error message visibility to authorized recipients, directly reducing unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-209

Filtering output to only permitted content stops unintended disclosure of sensitive information to unauthorized actors.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

References