Vulnerability description
Grafana is a cross-platform, open source data visualization web application platform. Azure AD is a cloud authentication and access management service provided by Microsoft.
In Azure AD, multiple users can have the same email address. An attacker could create a malicious account with the same email address as the target Grafana account and configure it in Azure AD to support multi-tenancy.
When Grafana uses Azure AD for authentication, since the uniqueness of the Azure AD tenant mailbox is not verified, the attacker can take over the Grafana account of the target user through authentication.
| vulnerability name | Grafana Azure AD environment authentication bypass vulnerability |
|---|---|
| Vulnerability type | Use hardcoded credentials |
| Discovery time | 2023/6/25 |
| Vulnerability Breadth | - |
| MPS number | MPS-rsc9-y5u2 |
| CVE number | CVE-2023-3128 |
| CNVD number | - |
Sphere of influence
grafana@ affects all versions
grafana/grafana@[9.5.0, 9.5.5)
grafana/grafana@[9.4.0, 9.4.13)
grafana/grafana@[9.3.0, 9.3.16)
grafana/grafana@[9.2.0, 9.2.29)
grafana/grafana@[8.5.0, 8.5.27)
grafana/grafana@[10.0.0, 10.0.1)
Repair plan
Add allowed_groups configuration in Azure AD configuration
Upgrade the component grafana/grafana to version 9.5.5 and above
Upgrade the component grafana/grafana to version 9.4.13 and above
Upgrade the component grafana/grafana to version 9.3.16 and above
Upgrade the component grafana/grafana to version 9.2.29 and above
Upgrade the component grafana/grafana to version 8.5.27 and above
Register a single-tenant application in Azure AD
reference link
https://www.oscs1024.com/hd/MPS-rsc9-y5u2
https://nvd.nist.gov/vuln/detail/CVE-2023-3128
http:// https://github.com/grafana/grafana/commit/4821175d40ce49c448c5545988b7f8116566b8e1
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from companies such as Baidu, Huawei, and Wuyun. The company provides customers with a complete software supply chain security management platform, and provides security management for the entire software life cycle around SBOM. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj
