Critical severityNVD Advisory· Published Jun 22, 2023· Updated Feb 13, 2025
CVE-2023-3128
CVE-2023-3128
Description
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafanaGo | >= 9.4.0, < 9.4.13 | 9.4.13 |
github.com/grafana/grafanaGo | >= 9.3.0, < 9.3.16 | 9.3.16 |
github.com/grafana/grafanaGo | >= 9.0.0, < 9.2.20 | 9.2.20 |
github.com/grafana/grafanaGo | < 8.5.27 | 8.5.27 |
Affected products
2- Grafana/Grafana Enterprisev5Range: 9.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-mpv3-g8m3-3fjcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-3128ghsaADVISORY
- github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgpghsaWEB
- github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.mdghsaWEB
- grafana.com/security/security-advisories/cve-2023-3128ghsaWEB
- security.netapp.com/advisory/ntap-20230714-0004ghsaWEB
- grafana.com/security/security-advisories/cve-2023-3128/mitre
- security.netapp.com/advisory/ntap-20230714-0004/mitre
News mentions
0No linked articles in our index yet.