{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3128", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2023-06-06T15:02:55.259Z", "datePublished": "2023-06-22T20:14:00.805Z", "dateUpdated": "2024-08-02T06:48:07.347Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Grafana", "vendor": "Grafana", "versions": [{"lessThan": "9.5.4", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThan": "9.4.13", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThan": "9.3.16", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.2.20", "status": "affected", "version": "9.2.0", "versionType": "semver"}, {"lessThan": "8.5.27", "status": "affected", "version": "6.7.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Grafana Enterprise", "vendor": "Grafana", "versions": [{"lessThan": "9.5.4", "status": "affected", "version": "9.5.0", "versionType": "semver"}, {"lessThan": "9.4.13", "status": "affected", "version": "9.4.0", "versionType": "semver"}, {"lessThan": "9.3.16", "status": "affected", "version": "9.3.0", "versionType": "semver"}, {"lessThan": "9.2.20", "status": "affected", "version": "9.2.0", "versionType": "semver"}, {"lessThan": "8.5.27", "status": "affected", "version": "6.7.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Grafana is validating Azure AD accounts based on the email claim. </p><p>On Azure AD, the profile email field is not unique and can be easily modified. </p><p>This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. </p>"}], "value": "Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. \n\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-290", "description": "CWE-290", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2023-07-06T08:24:09.716Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-3128/"}, {"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"}, {"url": "https://security.netapp.com/advisory/ntap-20230714-0004/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:48:07.347Z"}, "title": "CVE Program Container", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2023-3128/", "tags": ["x_transferred"]}, {"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230714-0004/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "83E4CB78-7F97-4B9A-B644-ED98761C6213", "versionEndExcluding": "8.5.27", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "26C597A7-F2D1-4A33-BBBD-352669DB8E91", "versionEndExcluding": "8.5.27", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "C47AA0E0-72E8-4235-8D27-7F579929D179", "versionEndExcluding": "9.2.20", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "F825B098-EEA7-415F-A9EA-6E72D741E614", "versionEndExcluding": "9.2.20", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "4F05305B-94D2-4687-8AE9-F55CE840B647", "versionEndExcluding": "9.3.16", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C32F2F70-18A1-47D6-8B5E-F20D096AEBD0", "versionEndExcluding": "9.3.16", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "C40FF772-6C54-4B5C-BD5C-560E192B79F6", "versionEndExcluding": "9.4.13", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "61DA1D1A-D969-492E-9A43-A99E9A918A5A", "versionEndExcluding": "9.4.13", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*", "matchCriteriaId": "B08F1010-C1F8-4F29-A65D-D9A741F77AA3", "versionEndExcluding": "9.5.4", "versionStartIncluding": "9.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E61B4ECF-7DC6-4487-9F27-8660BD8AD179", "versionEndExcluding": "9.5.4", "versionStartIncluding": "9.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana is validating Azure AD accounts based on the email claim. \n\nOn Azure AD, the profile email field is not unique and can be easily modified. \n\nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. \n\n"}], "id": "CVE-2023-3128", "lastModified": "2024-11-21T08:16:31.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security@grafana.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-22T21:15:09.573", "references": [{"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"}, {"source": "security@grafana.com", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2023-3128/"}, {"source": "security@grafana.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230714-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://grafana.com/security/security-advisories/cve-2023-3128/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230714-0004/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "security@grafana.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3925", "cpe": "cpe:/a:redhat:ceph_storage:7.1::el8", "package": "ceph-2:18.2.1-194.el8cp", "product_name": "Red Hat Ceph Storage 7.1", "release_date": "2024-06-14T00:00:00Z"}, {"advisory": "RHSA-2023:6972", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "grafana-0:9.2.10-7.el8_9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2023:4030", "cpe": "cpe:/a:redhat:enterprise_linux:9", "impact": "moderate", "package": "grafana-0:9.0.9-3.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-07-12T00:00:00Z"}], "bugzilla": {"description": "grafana: account takeover possible when using Azure AD OAuth", "id": "2213626", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213626"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-305", "details": ["Grafana is validating Azure AD accounts based on the email claim. \nOn Azure AD, the profile email field is not unique and can be easily modified. \nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.", "A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application.\u00a0This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information."], "mitigation": {"lang": "en:us", "value": "We recommend disabling Active Directory in the Grafana configuration file until a fix is provided."}, "name": "CVE-2023-3128", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Out of support scope", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Not affected", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2023-06-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3128\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3128\nhttps://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/"], "statement": "The vulnerability affecting Red Hat Enterprise Linux 8 and 9 has been categorized as moderate, primarily because Azure Active Directory access is not supported by default in Grafana configurations. Specifically, it remains disabled in the Grafana configuration file located at /etc/grafana/grafana.ini within the Azure AD section. Even if someone were to enable Azure Active Directory access, they retain the option to easily revert it back to the default state, ensuring it remains disabled.", "threat_severity": "Moderate", "upstream_fix": "grafana 10.0.0, grafana 9.5.4, grafana 9.4.13, grafana 9.3.16, grafana 9.2.20, grafana 8.5.27"}