CVE-2023-3128

2023-06-2220:14:00

CWE-290

GRAFANA

www.cve.org

grafana

azure ad

email validation

account takeover

authentication bypass

oauth

multi-tenant app

9.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

9.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.3%

JSON

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Grafana",
    "vendor": "Grafana",
    "versions": [
      {
        "lessThan": "9.5.4",
        "status": "affected",
        "version": "9.5.0",
        "versionType": "semver"
      },
      {
        "lessThan": "9.4.13",
        "status": "affected",
        "version": "9.4.0",
        "versionType": "semver"
      },
      {
        "lessThan": "9.3.16",
        "status": "affected",
        "version": "9.3.0",
        "versionType": "semver"
      },
      {
        "lessThan": "9.2.20",
        "status": "affected",
        "version": "9.2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "8.5.27",
        "status": "affected",
        "version": "6.7.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Grafana Enterprise",
    "vendor": "Grafana",
    "versions": [
      {
        "lessThan": "9.5.4",
        "status": "affected",
        "version": "9.5.0",
        "versionType": "semver"
      },
      {
        "lessThan": "9.4.13",
        "status": "affected",
        "version": "9.4.0",
        "versionType": "semver"
      },
      {
        "lessThan": "9.3.16",
        "status": "affected",
        "version": "9.3.0",
        "versionType": "semver"
      },
      {
        "lessThan": "9.2.20",
        "status": "affected",
        "version": "9.2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "8.5.27",
        "status": "affected",
        "version": "6.7.0",
        "versionType": "semver"
      }
    ]
  }
]