Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. If exploited, the attacker can gain complete control of the user's account, including access to private customer data and sensitive information. All users in Grafana deployments with Azure AD OAuth configured with a multi-tenant Azure app and which do not have allowed_groups configured are affected and can be compromised.
Reference: https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4030 https://access.redhat.com/errata/RHSA-2023:4030
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-3128
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6972 https://access.redhat.com/errata/RHSA-2023:6972
This issue has been addressed in the following products: Red Hat Ceph Storage 7.1 Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925