发布时间: 2024年10月18日
修改时间: 2024年10月25日
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user s login attempt by registering someone else e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1` s password won’t match with `user_2` s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 4.3 | 4.3 |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | None | None |
| Integrity | None | None |
| Availability | Low | Low |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-4129 | grafana security update | 2024年10月18日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | grafana | Fixed |
| KY3.5.2 | grafana | Fixed |
| V6 | grafana | Fixed |
