CVE-2023-3128 — Vulnetix

CVE-2023-3128 PUBLISHED

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

EPSS 1.88% · 83.5th percentile

Risk Scores

EPSS Score

1.88%

83.5th percentile

Affected Products

Vendor	Product	Versions
Bitnami	grafana	6.7.0, 9.2.0, 9.3.0
Bitnami	grafana	9.2.0, 9.3.0, 9.4.0

Timeline

Jun 22, 2023 CVE Published
Jun 23, 2023 EPSS Score
Sep 1, 2023 EPSS Score
Oct 7, 2023 EPSS Score
Dec 16, 2023 EPSS Score
Feb 24, 2024 EPSS Score
Mar 30, 2024 EPSS Score
Jun 9, 2024 EPSS Score
Aug 18, 2024 EPSS Score
Oct 27, 2024 EPSS Score
Dec 3, 2024 EPSS Score
Feb 11, 2025 EPSS Score

References

https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp url
https://grafana.com/security/security-advisories/cve-2023-3128/ url
https://security.netapp.com/advisory/ntap-20230714-0004/ url
https://nvd.nist.gov/vuln/detail/CVE-2023-3128 url

Open in Interactive Console →