Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Weakness
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Grafana | Grafana | 6.7.0 (including) | 8.5.27 (excluding) |
| Grafana | Grafana | 9.2.0 (including) | 9.2.20 (excluding) |
| Grafana | Grafana | 9.3.0 (including) | 9.3.16 (excluding) |
| Grafana | Grafana | 9.4.0 (including) | 9.4.13 (excluding) |
| Grafana | Grafana | 9.5.0 (including) | 9.5.4 (excluding) |
| Red Hat Ceph Storage 7.1 | RedHat | ceph-2:18.2.1-194.el9cp | * |
| Red Hat Enterprise Linux 8 | RedHat | grafana-0:9.2.10-7.el8_9 | * |
| Red Hat Enterprise Linux 9 | RedHat | grafana-0:9.0.9-3.el9_2 | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/459.html
- https://cwe.mitre.org/data/definitions/461.html
- https://cwe.mitre.org/data/definitions/473.html
- https://cwe.mitre.org/data/definitions/476.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/667.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
- https://grafana.com/security/security-advisories/cve-2023-3128/
- https://security.netapp.com/advisory/ntap-20230714-0004/
- https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
- https://grafana.com/security/security-advisories/cve-2023-3128/
- https://security.netapp.com/advisory/ntap-20230714-0004/