CVE-2023-3128 — Grafana vulnerable to Authentication Bypass by Spoofing

Description

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

How to fix CVE-2023-3128

To remediate CVE-2023-3128, upgrade the affected package to a fixed version below.

—upgrade to 8.5.27 or later
—upgrade to 9.4.13 or later

Is CVE-2023-3128 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 6.7.0, < 8.5.27, >= 9.2.0, < 9.2.20, >= 9.3.0, < 9.3.16, >= 9.4.0, < 9.4.13, >= 9.5.0, < 9.5.4
>= 9.4.0, < 9.4.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-3128
PATCHgithub.com/grafana/grafana
WEBgithub.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
WEBgithub.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.md