CRITICAL✓ PATCH🇬🇧 English

CVE-2023-3128

CVSS 9.4v3.1pub. 2023-06-22upd. 2025-02-13

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
  • Grafana

    APP
    Grafana
    6.7.0 – 8.5.27 (bez)9.2.0 – 9.2.20 (bez)9.3.0 – 9.3.16 (bez)9.4.0 – 9.4.13 (bez)9.5.0 – 9.5.4 (bez)
🟢
PATCH DOSTĘPNY
Aktualizacja od producenta gotowa. Wdrożenie w ramach standardowego cyklu.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2021-39226CRITICAL9.8⚠ KEVten sam produkt

Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated ...

CVE-2026-27876CRITICAL9.1PL ✓ten sam produkt

RCE w Grafana przez SQL Expressions i plugin Enterprise (CVE-2026-27876)

CVE-2025-41115CRITICAL10.0PL ✓ten sam produkt

Grafana Enterprise: privilege escalation przez SCIM provisioning (LPE)

CVE-2024-9264CRITICAL9.4PL ✓ten sam produkt

Grafana: command injection i local file inclusion przez SQL Expressions (duckdb)

CVE-2022-39328CRITICAL9.8ten sam produkt

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less tha...

CVE-2023-3128 — CRITICAL 9.4 | CVEbaza.pl