Bug 2138015 (CVE-2022-39307)

Summary: CVE-2022-39307 grafana: User enumeration via forget password
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, anstephe, aoconnor, avibelli, bgeorges, bniver, chazlett, clement.escoffier, dandread, dkreling, flucifre, gmeno, gparvin, grafana-maint, gsmet, jburrell, jcantril, jkurik, jochrist, jwendell, jwon, lthon, mbenjamin, mhackett, nathans, njean, owatkins, pahickey, peholase, pgallagh, pjindal, probinso, rcernich, rruss, rsvoboda, sbiarozk, sostapov, stcannon, teagle, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 9.2.4 grafana 8.5.15 Doc Type: If docs needed, set a value
Doc Text:
An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2138034, 2138035, 2138036, 2138070, 2138071, 2138265, 2141185    
Bug Blocks: 2137894    

Description Nick Tait 2022-10-26 21:24:23 UTC 
When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, the JSON response contains a “user not found” message which leaks information about which accounts already exist.

Affected Versions: 
Grafana <=8.x, Grafana <=9.x
Comment 1 Sage McTaggart 2022-10-27 00:01:31 UTC 
Deptopia refers to version 5.2.3-4.el7cp for ceph 3 (which matches with a manual search of the most recent release's source code), thus affected and OOOS, and uses Grafana container for Ceph 4 and 5.  

Grafana container:  
Ceph 4.x uses golang:1.11.4 as the base to get grafana from. This was released significantly prior to the bugs in 9.2.0 and 9.2.1, but 5.x<=8.x to affected and trackers filed. 

Ceph 5.3 (RC and thus the only potentially affected version) uses Grafana 8.3.5, and all the potential bug fixes are from prior to the http://tracker.ceph.com/issues/48*, which is when the affected timeline begins. 

Ceph 5.2 (most recent published verison) uses Grafana 8.3.5 and https://pkg.go.dev/github.com/grafana/grafana (from golang olang:1.17.6-alpine3.15), in the grafana container, published in 2019.
Thus, affected as 8.3.5 <= 8.x

In the case of gluster. Last release was in Feb. I also dug into the source code for gluster, we're running 5.2.4 as Deptopia verifies. 5.x<=8.x, so marked as affected and trackers filed.
Comment 6 Avinash Hanwate 2022-11-09 04:45:07 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2141185]
Comment 21 errata-xmlrpc 2023-06-15 16:01:15 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 23 errata-xmlrpc 2023-11-07 08:16:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420