UBUNTU-CVE-2023-3128

Source
https://ubuntu.com/security/CVE-2023-3128
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-3128.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2023-3128
Related
Published
2023-06-22T21:15:00Z
Modified
2024-10-15T14:11:29Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

References

Affected packages

Ubuntu:Pro:16.04:LTS / grafana

Package

Name
grafana
Purl
pkg:deb/ubuntu/grafana?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.0+dfsg-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}