CVE-2022-39229: Using email as a username can block other users from signing in Currently, a user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since we allow a user to log in with either their username or email address, this creates an unusual behavior where user_1 can register with one email address and user_2 can register his username as user_1’s email address. This prevents user_1 from logging into the application since user_1 password won’t match with users_2 email address. This is a moderate severity security issue because it can stop a user from logging into the system. Affected versions: Grafana <= 9.1.x
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2134701]
Closing as won't fix.
Woops, reopening
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-39229
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642