GHSA-mpv3-g8m3-3fjc

Suggest an improvement
Source
https://github.com/advisories/GHSA-mpv3-g8m3-3fjc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mpv3-g8m3-3fjc/GHSA-mpv3-g8m3-3fjc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mpv3-g8m3-3fjc
Aliases
Related
Published
2023-06-22T21:30:49Z
Modified
2024-05-08T06:58:47.150756Z
Severity
  • 9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
Summary
Grafana vulnerable to Authentication Bypass by Spoofing
Details

Grafana is validating Azure AD accounts based on the email claim.

On Azure AD, the profile email field is not unique and can be easily modified.

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

References

Affected packages

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
9.4.0
Fixed
9.4.13

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
9.3.0
Fixed
9.3.16

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
9.0.0
Fixed
9.2.20

Go / github.com/grafana/grafana

Package

Name
github.com/grafana/grafana
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/grafana

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.5.27