CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
EPSS
Percentile
35.5%
Grafana is an open-source platform for monitoring and observability. When
using the forget password on the login page, a POST request is made to the
/api/user/password/sent-reset-email
URL. When the username or email does
not exist, a JSON response contains a βuser not foundβ message. This leaks
information to unauthenticated users and introduces a security risk. This
issue has been patched in 9.2.4 and backported to 8.5.15. There are no
known workarounds.