CVE-2023-3128

Summary

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Affected Software

VendorProductVersion RangeStatus
GrafanaGrafana9.5.0 < 9.5.4affected
GrafanaGrafana9.4.0 < 9.4.13affected
GrafanaGrafana9.3.0 < 9.3.16affected
GrafanaGrafana9.2.0 < 9.2.20affected
GrafanaGrafana6.7.0 < 8.5.27affected
GrafanaGrafana Enterprise9.5.0 < 9.5.4affected
GrafanaGrafana Enterprise9.4.0 < 9.4.13affected
GrafanaGrafana Enterprise9.3.0 < 9.3.16affected
GrafanaGrafana Enterprise9.2.0 < 9.2.20affected
GrafanaGrafana Enterprise6.7.0 < 8.5.27affected

Weaknesses

  • CWE-290: CWE-290

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References