{ "threat_severity" : "Moderate", "public_date" : "2023-06-22T00:00:00Z", "bugzilla" : { "description" : "grafana: account takeover possible when using Azure AD OAuth", "id" : "2213626", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2213626" }, "cvss3" : { "cvss3_base_score" : "9.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-305", "details" : [ "Grafana is validating Azure AD accounts based on the email claim. \nOn Azure AD, the profile email field is not unique and can be easily modified. \nThis leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.", "A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information." ], "statement" : "The vulnerability affecting Red Hat Enterprise Linux 8 and 9 has been categorized as moderate, primarily because Azure Active Directory access is not supported by default in Grafana configurations. Specifically, it remains disabled in the Grafana configuration file located at /etc/grafana/grafana.ini within the Azure AD section. Even if someone were to enable Azure Active Directory access, they retain the option to easily revert it back to the default state, ensuring it remains disabled.", "affected_release" : [ { "product_name" : "Red Hat Ceph Storage 7.1", "release_date" : "2024-06-14T00:00:00Z", "advisory" : "RHSA-2024:3925", "cpe" : "cpe:/a:redhat:ceph_storage:7.1::el8", "package" : "ceph-2:18.2.1-194.el8cp" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:6972", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "grafana-0:9.2.10-7.el8_9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-07-12T00:00:00Z", "advisory" : "RHSA-2023:4030", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "grafana-0:9.0.9-3.el9_2", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Cryostat 2", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:cryostat:2" }, { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.1" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Not affected", "package_name" : "rhceph/rhceph-4-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Ceph Storage 5", "fix_state" : "Not affected", "package_name" : "rhceph/rhceph-5-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:5" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-3128\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3128\nhttps://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/" ], "name" : "CVE-2023-3128", "mitigation" : { "value" : "We recommend disabling Active Directory in the Grafana configuration file until a fix is provided.", "lang" : "en:us" }, "csaw" : false }