Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password

Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

信息暴露

Grafana 信息泄露漏洞

Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana 9.2.4之前的9.x版本和8.5.15之前的8.x版本存在安全漏洞，该漏洞源于攻击者可以通过忘记密码用户枚举绕过对Grafana数据的访问限制，以读取敏感信息。

N/A

N/A