VYPR
Critical severityNVD Advisory· Published Jun 22, 2023· Updated Feb 13, 2025

CVE-2023-3128

CVE-2023-3128

Description

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/grafana/grafanaGo
>= 9.4.0, < 9.4.139.4.13
github.com/grafana/grafanaGo
>= 9.3.0, < 9.3.169.3.16
github.com/grafana/grafanaGo
>= 9.0.0, < 9.2.209.2.20
github.com/grafana/grafanaGo
< 8.5.278.5.27

Affected products

97

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.