[FREEBSD:FDBE9AEC-118B-11EE-908A-6C3BE5272ACD] Grafana -- Account takeover / authentication bypass
Severity
Critical
Affected Packages
4
CVEs
1
Grafana Labs reports:
Grafana validates Azure Active Directory accounts based on the email claim.
On Azure AD, the profile email field is not unique across Azure AD tenants.
This can enable a Grafana account takeover and authentication bypass when
Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.
The CVSS score for this vulnerability is 9.4 Critical.
Package | Affected Version |
---|---|
pkg:freebsd/grafana9 | < 9.2.20 |
pkg:freebsd/grafana8 | < 8.5.27 |
pkg:freebsd/grafana10 | < 10.0.1 |
pkg:freebsd/grafana | < 8.5.27 |
- ID
- FREEBSD:FDBE9AEC-118B-11EE-908A-6C3BE5272ACD
- Severity
- critical
- Severity from
- CVE-2023-3128
- URL
- http://vuxml.freebsd.org/freebsd/fdbe9aec-118b-11ee-908a-6c3be5272acd.html
- Published
-
2023-06-22T00:00:00
(15 months ago) - Modified
-
2023-06-23T00:00:00
(15 months ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://grafana.com/security/security-advisories/cve-2023-3128 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |