Veracode Vulnerability DatabaseVERACODE:37584Authentication Bypass
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
18.9%
grafana is vulnerable to Authentication Bypass. The vulnerability exists due to the GetUserByLogin function in user.go conflict in the login field; An attacker can register into the system from another user’s email address as a username blocking a user’s login attempt.
References
github.com/grafana/grafana/commit/1d58ef43fbd5fd0cea0e67229f7daeb698f0a64b
github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35
github.com/grafana/grafana/commit/85f581105a677d9c243d7e337b8b4a4e28cabc1c
github.com/grafana/grafana/commit/f5da38804163a17b893dc4343f8e5cc9d4f92a4d
github.com/grafana/grafana/pull/511
github.com/grafana/grafana/releases/tag/v9.1.8
github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
18.9%