CVE-2023-3128
published 2023-06-22CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.09%
89.5th percentile
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 0 < 8.5.27 | 8.5.27 |
| github.com | grafana_grafana | >= 9.0.0 < 9.2.20 | 9.2.20 |
| github.com | grafana_grafana | >= 9.3.0 < 9.3.16 | 9.3.16 |
| github.com | grafana_grafana | >= 9.4.0 < 9.4.13 | 9.4.13 |
| grafana | grafana | >= 6.7.0 < 8.5.27 | 8.5.27 |
| grafana | grafana | >= 9.2.0 < 9.2.20 | 9.2.20 |
| grafana | grafana | >= 9.3.0 < 9.3.16 | 9.3.16 |
| grafana | grafana | >= 9.4.0 < 9.4.13 | 9.4.13 |
| grafana | grafana | >= 9.5.0 < 9.5.4 | 9.5.4 |
| grafana | grafana_enterprise | >= 6.7.0 < 8.5.27 | 8.5.27 |
| grafana | grafana_enterprise | >= 9.2.0 < 9.2.20 | 9.2.20 |
| grafana | grafana_enterprise | >= 9.3.0 < 9.3.16 | 9.3.16 |
| grafana | grafana_enterprise | >= 9.4.0 < 9.4.13 | 9.4.13 |
| grafana | grafana_enterprise | >= 9.5.0 < 9.5.4 | 9.5.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass occurs when Azure AD OAuth is configured with a multi-tenant app — monitor Grafana login events where Azure AD OAuth is used with multi-tenant AzureAD OAuth applications for unexpected account access ↗
- →Check Grafana configuration file at /etc/grafana/grafana.ini — if Azure AD section is enabled in a multi-tenant context, the instance is potentially vulnerable ↗
- ·Azure Active Directory OAuth is disabled by default in Grafana; the vulnerability is only exploitable if it has been explicitly enabled in the configuration ↗
- ·The attack surface is limited to multi-tenant Azure AD OAuth application configurations; single-tenant configurations are not described as affected ↗
- ·Mitigation recommended: disable Azure Active Directory in the Grafana configuration file until a patch is applied ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana vulnerable to Authentication Bypass by Spoofing
osv·2023-06-22
CVE-2023-3128 [CRITICAL] Grafana vulnerable to Authentication Bypass by Spoofing
Grafana vulnerable to Authentication Bypass by Spoofing
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
GHSA
Grafana vulnerable to Authentication Bypass by Spoofing
ghsa·2023-06-22
CVE-2023-3128 [CRITICAL] CWE-290 Grafana vulnerable to Authentication Bypass by Spoofing
Grafana vulnerable to Authentication Bypass by Spoofing
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
OSV
CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim
osv·2023-06-22·CVSS 9.8
CVE-2023-3128 [CRITICAL] CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Red Hat
grafana: account takeover possible when using Azure AD OAuth
vendor_redhat·2023-06-22·CVSS 9.4
CVE-2023-3128 [CRITICAL] CWE-305 grafana: account takeover possible when using Azure AD OAuth
grafana: account takeover possible when using Azure AD OAuth
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information.
Statement: The vulne
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgphttps://grafana.com/security/security-advisories/cve-2023-3128/https://security.netapp.com/advisory/ntap-20230714-0004/https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgphttps://grafana.com/security/security-advisories/cve-2023-3128/https://security.netapp.com/advisory/ntap-20230714-0004/
2023-06-22
Published