CVE-2023-3128: Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified....
9.4
CVSS
Description
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Classification
CVE ID: CVE-2023-3128
CVSS Base Severity: CRITICAL
CVSS Base Score: 9.4
Affected Products
Vendor: Grafana
Product: Grafana
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.22% (probability of being exploited)
EPSS Percentile: 59.77% (scored less or equal to compared to others)
EPSS Date: 2025-02-03 (when was this score calculated)
References
https://grafana.com/security/security-advisories/cve-2023-3128/https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp
https://security.netapp.com/advisory/ntap-20230714-0004/