Security Advisories

CGA-45h5-g96m-f6r7

Published

Last updated

Package

sourcegraph-grafana

Latest Update

Not affected

Aliases

Severity

9.4

Critical

CVSS V3

Grafana vulnerable to Authentication Bypass by Spoofing

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.