← Back

CVE-2023-3128

nvd nist
Published: Jun 22, 2023Modified: Feb 13, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Affected (10)

Products: Grafana: Grafana
Grafana
1 product
Grafana
Configuration A
10 vulnerable
Vulnerable SoftwareAffected Versions
Grafana
Grafana
From 6.7.0 to 8.5.27
Grafana
From 9.2.0 to 9.2.20
Grafana
From 9.3.0 to 9.3.16
Grafana
From 9.4.0 to 9.4.13
Grafana
From 9.5.0 to 9.5.4
Grafana
From 6.7.0 to 8.5.27
Grafana
From 9.2.0 to 9.2.20
Grafana
From 9.3.0 to 9.3.16
Grafana
From 9.4.0 to 9.4.13
Grafana
From 9.5.0 to 9.5.4

Related CWEs

CWE-290
Authentication Bypass by Spoofing
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

References (6)

Source: security@grafana.com
Vendor Advisory
Source: security@grafana.com
Vendor Advisory
Source: security@grafana.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.