Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Metrics
Affected Vendors & Products
References
History
Fri, 06 Dec 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: GRAFANA
Published: 2023-06-22T20:14:00.805Z
Updated: 2024-12-06T15:26:43.437Z
Reserved: 2023-06-06T15:02:55.259Z
Link: CVE-2023-3128
Vulnrichment
Updated: 2024-08-02T06:48:07.347Z
NVD
Status : Modified
Published: 2023-06-22T21:15:09.573
Modified: 2024-11-21T08:16:31.240
Link: CVE-2023-3128
Redhat