9.8

CVE-2023-3128

Grafana is validating Azure AD accounts based on the email claim. 

On Azure AD, the profile email field is not unique and can be easily modified. 

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GrafanaGrafana SwEdition- Version >= 6.7.0 < 8.5.27
GrafanaGrafana SwEditionenterprise Version >= 6.7.0 < 8.5.27
GrafanaGrafana SwEdition- Version >= 9.2.0 < 9.2.20
GrafanaGrafana SwEditionenterprise Version >= 9.2.0 < 9.2.20
GrafanaGrafana SwEdition- Version >= 9.3.0 < 9.3.16
GrafanaGrafana SwEditionenterprise Version >= 9.3.0 < 9.3.16
GrafanaGrafana SwEdition- Version >= 9.4.0 < 9.4.13
GrafanaGrafana SwEditionenterprise Version >= 9.4.0 < 9.4.13
GrafanaGrafana SwEdition- Version >= 9.5.0 < 9.5.4
GrafanaGrafana SwEditionenterprise Version >= 9.5.0 < 9.5.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.88% 0.826
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@grafana.com 9.4 3.9 5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.