Home > Vulnerability Database > CVE-2023-3128

Mend.io Vulnerability Database

CVE-2023-3128

Good to know:

Date: June 22, 2023

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Language: Go

Severity Score

9.4

Related Resources (10)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-3128

Url: https://grafana.com/security/security-advisories/cve-2023-3128

Url: https://github.com/grafana/grafana

Url: https://security.netapp.com/advisory/ntap-20230714-0004/

Url: https://access.redhat.com/security/cve/CVE-2023-3128

Url: https://github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.md

Url: https://security.netapp.com/advisory/ntap-20230714-0004

Url: https://grafana.com/security/security-advisories/cve-2023-3128/

Url: https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp

Url: https://www.mend.io/vulnerability-database/CVE-2023-3128

Severity Score

9.4

Weakness Type (CWE)

Authentication Bypass by Spoofing

CWE-290

Top Fix

Upgrade Version

Upgrade to version v8.5.27,v9.2.20,v9.3.16,v9.4.13,v9.5.4

Learn More

CVSS v3.1

Base Score:	9.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-3128

Good to know:

Date: June 22, 2023

Language: Go

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?