Description
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Remediation
References
Related Vulnerabilities
MySQL CVE-2023-22084 Vulnerability (CVE-2023-22084)
MediaWiki CVE-2017-0371 Vulnerability (CVE-2017-0371)
IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-3092)
Nginx Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-0337)
WordPress Plugin MP3-jPlayer Multiple Cross-Site Request Forgery Vulnerabilities (2.7.3)