virus logo FortiClient Vulnerability

GrafanaOSS CVE-2022-39229 Authentication Bypass Vulnerability

description-logoDescription

Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user's username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password will not match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.

affected-products-logoAffected Applications

GrafanaOSS

CVE References

CVE-2022-39229

Other References

https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r
ID 4556
Created Oct 26, 2022
Description
Updated		 Jul 27, 2023
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon lightgray-background-circle-icon
Coverage FortiClient
OS Windows
Vendor Grafana Labs
Patch manual
Application GrafanaOSS