[FREEBSD:FDBE9AEC-118B-11EE-908A-6C3BE5272ACD] Grafana -- Account takeover / authentication bypass

Severity Critical

Affected Packages 4

CVEs 1

Grafana Labs reports:

  Grafana validates Azure Active Directory accounts based on the email claim.
  On Azure AD, the profile email field is not unique across Azure AD tenants.
  This can enable a Grafana account takeover and authentication bypass when
  Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.

  The CVSS score for this vulnerability is 9.4 Critical.

Package	Affected Version
pkg:freebsd/grafana9	< 9.2.20
pkg:freebsd/grafana8	< 8.5.27
pkg:freebsd/grafana10	< 10.0.1
pkg:freebsd/grafana	< 8.5.27

ID

FREEBSD:FDBE9AEC-118B-11EE-908A-6C3BE5272ACD

Severity

critical

Severity from

CVE-2023-3128

URL

http://vuxml.freebsd.org/freebsd/fdbe9aec-118b-11ee-908a-6c3be5272acd.html

Published

2023-06-22T00:00:00
(15 months ago)

Modified

2023-06-23T00:00:00
(15 months ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://grafana.com/security/security-advisories/cve-2023-3128

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/grafana9	grafana9	< 9.2.20
Affected	pkg:freebsd/grafana8	grafana8	< 8.5.27
Affected	pkg:freebsd/grafana10	grafana10	< 10.0.1
Affected	pkg:freebsd/grafana	grafana	< 8.5.27

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date