CVE-2023-3128 - OpenCVE

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Grafana	Grafana

Configuration 1 [-]

OR	cpe:2.3:a:grafana:grafana:::::-:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::-:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::-:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::-:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*
	cpe:2.3:a:grafana:grafana:::::-:::*
	cpe:2.3:a:grafana:grafana:::::enterprise:::*

References

Link	Resource
https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp	Vendor Advisory
https://grafana.com/security/security-advisories/cve-2023-3128/	Vendor Advisory
https://security.netapp.com/advisory/ntap-20230714-0004/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GRAFANA

Published: 2023-06-22T20:14:00.805Z

Updated: 2023-07-06T08:24:09.716Z

Reserved: 2023-06-06T15:02:55.259Z

Link: CVE-2023-3128

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-06-22T21:15:09.573

Modified: 2023-07-21T19:19:27.410

Link: CVE-2023-3128

JSON object: View

Redhat Information

No data.

CWE

CWE-290

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3128", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2023-06-06T15:02:55.259Z", "datePublished": "2023-06-22T20:14:00.805Z", "dateUpdated": "2023-07-06T08:24:09.716Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "9.5.4", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThan": "9.4.13", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThan": "9.3.16", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.2.20", "status": "affected", "version": "9.2.0", "versionType": "semver"}, {"lessThan": "8.5.27", "status": "affected", "version": "6.7.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Grafana Enterprise", "vendor": "Grafana", "versions": [{"lessThan": "9.5.4", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThan": "9.4.13", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThan": "9.3.16", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.2.20", "status": "affected", "version": "9.2.0", "versionType": "semver"}, {"lessThan": "8.5.27", "status": "affected", "version": "6.7.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Grafana is validating Azure AD accounts based on the email claim. </p><p>On Azure AD, the profile email field is not unique and can be easily modified. </p><p>This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. </p>"}], "value": "Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. \n\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "CWE-290", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2023-07-06T08:24:09.716Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-3128/"}, {"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"}, {"url": "https://security.netapp.com/advisory/ntap-20230714-0004/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "83E4CB78-7F97-4B9A-B644-ED98761C6213", "versionEndExcluding": "8.5.27", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "26C597A7-F2D1-4A33-BBBD-352669DB8E91", "versionEndExcluding": "8.5.27", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "C47AA0E0-72E8-4235-8D27-7F579929D179", "versionEndExcluding": "9.2.20", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F825B098-EEA7-415F-A9EA-6E72D741E614", "versionEndExcluding": "9.2.20", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "4F05305B-94D2-4687-8AE9-F55CE840B647", "versionEndExcluding": "9.3.16", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C32F2F70-18A1-47D6-8B5E-F20D096AEBD0", "versionEndExcluding": "9.3.16", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "C40FF772-6C54-4B5C-BD5C-560E192B79F6", "versionEndExcluding": "9.4.13", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "61DA1D1A-D969-492E-9A43-A99E9A918A5A", "versionEndExcluding": "9.4.13", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "B08F1010-C1F8-4F29-A65D-D9A741F77AA3", "versionEndExcluding": "9.5.4", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E61B4ECF-7DC6-4487-9F27-8660BD8AD179", "versionEndExcluding": "9.5.4", "versionStartIncluding": "9.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. \n\n"}], "id": "CVE-2023-3128", "lastModified": "2023-07-21T19:19:27.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2023-06-22T21:15:09.573", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"}, {"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2023-3128/"}, {"source": "security@grafana.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230714-0004/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "security@grafana.com", "type": "Secondary"}]}