Back to bug 2213626
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Anten Skrabec | 2023-06-08 18:58:51 UTC | CC | security-response-team | |
| Anten Skrabec | 2023-06-08 19:00:26 UTC | Fixed In Version | grafana 10.0.0, grafana 9.5.4, grafana 9.4.13, grafana 9.3.16, grafana 9.2.20, grafana 8.5.27 | |
| Paige Jung | 2023-06-08 20:22:45 UTC | Doc Text | Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. | A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information. |
| Anten Skrabec | 2023-06-08 21:31:59 UTC | CC | aazores, chazlett, eaguilar, ebaron, jkang, jkurik, jpallich, jwendell, nathans, pjindal, rcernich, scox, sfroberg, twalsh | |
| Anten Skrabec | 2023-06-08 21:32:11 UTC | Fixed In Version | grafana 10.0.0, grafana 9.5.4, grafana 9.4.13, grafana 9.3.16, grafana 9.2.20, grafana 8.5.27 | grafana 10.0.0, grafana 9.5.4, grafana 9.4.13, grafana 9.3.16, grafana 9.2.20, grafana 8.5.27 |
| CC | dfreiber, jburrell, rogbas, vkumar | |||
| Anten Skrabec | 2023-06-08 21:36:17 UTC | Depends On | 2213655, 2213656 | |
| Group | team ocp_embargoes | |||
| Sandipan Roy | 2023-06-09 03:24:14 UTC | Depends On | 2213698, 2213699, 2213701, 2213694, 2213697, 2213693, 2213696, 2213700, 2213695 | |
| Elliott Baron | 2023-06-09 16:56:23 UTC | Doc Type | --- | If docs needed, set a value |
| Anten Skrabec | 2023-06-15 16:49:33 UTC | Depends On | 2215357, 2215358 | |
| TEJ RATHI | 2023-06-23 03:13:42 UTC | Group | security, team ocp_embargoes, qe_staff | |
| CC | grafana-maint | |||
| Summary | EMBARGOED CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth | CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth | ||
| Red Hat Bugzilla | 2023-07-07 08:33:39 UTC | CC | security-response-team | |
| Assignee | security-response-team | nobody | ||
| errata-xmlrpc | 2023-07-12 03:44:49 UTC | Link ID | Red Hat Product Errata RHSA-2023:4030 | |
| Product Security DevOps Team | 2023-07-12 07:51:56 UTC | Resolution | --- | ERRATA |
| Status | NEW | CLOSED | ||
| Last Closed | 2023-07-12 07:51:56 UTC | |||
| errata-xmlrpc | 2023-07-17 19:31:01 UTC | Link ID | Red Hat Product Errata RHBA-2023:4118 |
Back to bug 2213626