BIT-grafana-2023-3128

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/grafana/BIT-grafana-2023-3128.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-grafana-2023-3128
Aliases
Published
2024-03-06T10:53:06.974Z
Modified
2024-05-19T02:24:32.538954Z
Summary
[none]
Details

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

References

Affected packages

Bitnami / grafana

Package

Name
grafana
Purl
pkg:bitnami/grafana

Severity

  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
6.7.0
Fixed
8.5.27
Introduced
9.2.0
Fixed
9.2.20
Introduced
9.3.0
Fixed
9.3.16
Introduced
9.4.0
Fixed
9.4.13
Introduced
9.5.0
Fixed
9.5.4