Critical severityNVD Advisory· Published Jun 22, 2023· Updated Feb 13, 2025
CVE-2023-3128
CVE-2023-3128
Description
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 9.4.0, < 9.4.13 | 9.4.13 |
github.com/grafana/grafanaGo | >= 9.3.0, < 9.3.16 | 9.3.16 |
github.com/grafana/grafanaGo | >= 9.0.0, < 9.2.20 | 9.2.20 |
github.com/grafana/grafanaGo | < 8.5.27 | 8.5.27 |
Affected products
97- osv-coords95 versionspkg:apk/chainguard/grafana-7pkg:apk/chainguard/grafana-7-dashboardspkg:apk/chainguard/grafana-7-homepagepkg:apk/chainguard/grafana-homepagepkg:apk/chainguard/sourcegraph-grafanapkg:bitnami/grafanapkg:golang/github.com/grafana/grafanapkg:rpm/almalinux/grafanapkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/golang-github-prometheus-promu&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/grafana&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/supportutils-plugin-salt&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/supportutils-plugin-susemanager-client&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/kiwi-desc-saltboot&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/python-pyvmomi&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/system-user-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205
< 0+ 94 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 6.7.0, < 8.5.27
- (no CPE)range: >= 9.4.0, < 9.4.13
- (no CPE)range: < 9.0.9-3.el9_2.alma
- (no CPE)range: < 0.1.1728559936.c16d4fb-150000.1.56.1
- (no CPE)range: < 0.17.0-150000.3.24.1
- (no CPE)range: < 9.5.5-150200.3.44.1
- (no CPE)range: < 9.5.5-150200.3.44.1
- (no CPE)range: < 10.4.13-150200.3.59.1
- (no CPE)range: < 10.0.1-1.1
- (no CPE)range: < 5.0.11-150000.3.130.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 5.0.4-150000.3.27.1
- (no CPE)range: < 2.9.27-159000.3.9.1
- (no CPE)range: < 0.1.1728559936.c16d4fb-150000.1.56.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1728559936.c16d4fb-150000.1.56.1
- (no CPE)range: < 1.6-4.9.2
- (no CPE)range: < 1.6-159000.4.9.1
- (no CPE)range: < 1.0.0-4.12.4
- (no CPE)range: < 1.0.0-159000.4.12.1
- (no CPE)range: < 0.26.0-4.12.4
- (no CPE)range: < 1.5.0-4.15.4
- (no CPE)range: < 2.53.3-1.56.1
- (no CPE)range: < 2.45.0-4.33.3
- (no CPE)range: < 2.53.3-150000.3.59.1
- (no CPE)range: < 2.45.0-159000.6.33.1
- (no CPE)range: < 0.17.0-150000.3.24.1
- (no CPE)range: < 0.17.0-1.24.1
- (no CPE)range: < 0.14.0-4.12.2
- (no CPE)range: < 0.4.0-4.6.2
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 9.5.5-150200.3.44.1
- (no CPE)range: < 9.5.5-150200.3.44.1
- (no CPE)range: < 10.4.13-150200.3.59.1
- (no CPE)range: < 9.5.5-1.51.1
- (no CPE)range: < 9.5.8-4.21.2
- (no CPE)range: < 10.4.13-150000.1.66.1
- (no CPE)range: < 9.5.8-159000.4.24.1
- (no CPE)range: < 0.1.1687520761.cefb248-4.15.2
- (no CPE)range: < 5.0.1-4.21.4
- (no CPE)range: < 5.0.1-159000.4.21.1
- (no CPE)range: < 0.24.0-3.6.3
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.10.1-3.6.4
- (no CPE)range: < 0.10.1-159000.3.6.1
- (no CPE)range: < 2.3.5-15.12.2
- (no CPE)range: < 2.3.5-159000.5.13.1
- (no CPE)range: < 6.7.3-159000.3.6.1
- (no CPE)range: < 5.0.1-24.30.3
- (no CPE)range: < 5.0.1-159000.6.30.1
- (no CPE)range: < 5.0.11-38.153.1
- (no CPE)range: < 5.0.1-41.42.3
- (no CPE)range: < 5.0.11-150000.3.130.1
- (no CPE)range: < 5.0.1-159000.6.42.1
- (no CPE)range: < 5.0.1-159000.6.48.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-6.25.1
- (no CPE)range: < 1.2.2-9.9.2
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.2-159000.5.9.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 1.2.3-150000.3.16.1
- (no CPE)range: < 5.0.4-6.33.1
- (no CPE)range: < 5.0.1-9.15.2
- (no CPE)range: < 5.0.4-150000.3.27.1
- (no CPE)range: < 5.0.1-159000.6.15.1
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 5.0.1-3.33.3
- (no CPE)range: < 5.0.1-159000.3.33.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 0.1.28-1.16.1
- (no CPE)range: < 0.1.28-150000.1.16.1
- (no CPE)range: < 0.1.28-150000.1.16.1
- Range: 9.5.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-mpv3-g8m3-3fjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-3128ghsaADVISORY
- github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgpghsaWEB
- github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.mdghsaWEB
- grafana.com/security/security-advisories/cve-2023-3128ghsaWEB
- security.netapp.com/advisory/ntap-20230714-0004ghsaWEB
- grafana.com/security/security-advisories/cve-2023-3128/mitre
- security.netapp.com/advisory/ntap-20230714-0004/mitre
News mentions
0No linked articles in our index yet.