​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-phm9-29c6-x5rm

Published

Last updated

https://images.chainguard.dev/security/CGA-phm9-29c6-x5rm
Package

grafana-7

Latest Update
Not affected
Aliases
  • CVE-2023-3128
  • GHSA-mpv3-g8m3-3fjc

Severity

9.4

Critical

CVSS V3

Summary

Grafana vulnerable to Authentication Bypass by Spoofing

Description

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images