9.8

CVE-2023-3128

Grafana is validating Azure AD accounts based on the email claim. 

On Azure AD, the profile email field is not unique and can be easily modified. 

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Data is provided by the National Vulnerability Database (NVD)
GrafanaGrafana SwEdition- Version >= 6.7.0 < 8.5.27
GrafanaGrafana SwEditionenterprise Version >= 6.7.0 < 8.5.27
GrafanaGrafana SwEdition- Version >= 9.2.0 < 9.2.20
GrafanaGrafana SwEditionenterprise Version >= 9.2.0 < 9.2.20
GrafanaGrafana SwEdition- Version >= 9.3.0 < 9.3.16
GrafanaGrafana SwEditionenterprise Version >= 9.3.0 < 9.3.16
GrafanaGrafana SwEdition- Version >= 9.4.0 < 9.4.13
GrafanaGrafana SwEditionenterprise Version >= 9.4.0 < 9.4.13
GrafanaGrafana SwEdition- Version >= 9.5.0 < 9.5.4
GrafanaGrafana SwEditionenterprise Version >= 9.5.0 < 9.5.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.88% 0.825
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@grafana.com 9.4 3.9 5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.