cbcvebase.
CVE-2023-3128
published 2023-06-22

CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.09%
89.5th percentile
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Affected

14 ranges
VendorProductVersion rangeFixed in
github.comgrafana_grafana>= 0 < 8.5.278.5.27
github.comgrafana_grafana>= 9.0.0 < 9.2.209.2.20
github.comgrafana_grafana>= 9.3.0 < 9.3.169.3.16
github.comgrafana_grafana>= 9.4.0 < 9.4.139.4.13
grafanagrafana>= 6.7.0 < 8.5.278.5.27
grafanagrafana>= 9.2.0 < 9.2.209.2.20
grafanagrafana>= 9.3.0 < 9.3.169.3.16
grafanagrafana>= 9.4.0 < 9.4.139.4.13
grafanagrafana>= 9.5.0 < 9.5.49.5.4
grafanagrafana_enterprise>= 6.7.0 < 8.5.278.5.27
grafanagrafana_enterprise>= 9.2.0 < 9.2.209.2.20
grafanagrafana_enterprise>= 9.3.0 < 9.3.169.3.16
grafanagrafana_enterprise>= 9.4.0 < 9.4.139.4.13
grafanagrafana_enterprise>= 9.5.0 < 9.5.49.5.4

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass occurs when Azure AD OAuth is configured with a multi-tenant app — monitor Grafana login events where Azure AD OAuth is used with multi-tenant AzureAD OAuth applications for unexpected account access
  • Check Grafana configuration file at /etc/grafana/grafana.ini — if Azure AD section is enabled in a multi-tenant context, the instance is potentially vulnerable
  • ·Azure Active Directory OAuth is disabled by default in Grafana; the vulnerability is only exploitable if it has been explicitly enabled in the configuration
  • ·The attack surface is limited to multi-tenant Azure AD OAuth application configurations; single-tenant configurations are not described as affected
  • ·Mitigation recommended: disable Azure Active Directory in the Grafana configuration file until a patch is applied

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.