vulnerability

Red Hat: CVE-2023-3128: grafana: account takeover possible when using Azure AD OAuth (Multiple Advisories)

Name: Red Hat: CVE-2023-3128: grafana: account takeover possible when using Azure AD OAuth (Multiple Advisories)
Creator: Red Hat
Published: 2023-06-22T00:00:00.000Z
Keywords: CVE, CWE-290, Red Hat, 2023, 3128, grafana, redhat-upgrade-grafana, redhat-upgrade-grafana-debuginfo, redhat-upgrade-grafana-debugsource, Severity 10

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:P)

Published

Jun 22, 2023

Added

Jul 13, 2023

Modified

Mar 27, 2026

Description

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Solutions

redhat-upgrade-grafanaredhat-upgrade-grafana-debuginforedhat-upgrade-grafana-debugsource

References

CWE-290
EUVD-EUVD-2023-1845
NVD-CVE-2023-3128
REDHAT-RHSA-2023:4030
REDHAT-RHSA-2023:6972
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-1845

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report