Описание
Grafana is validating Azure AD accounts based on the email claim.
On Azure AD, the profile email field is not unique and can be easily modified.
This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information.
Отчет
The vulnerability affecting Red Hat Enterprise Linux 8 and 9 has been categorized as moderate, primarily because Azure Active Directory access is not supported by default in Grafana configurations. Specifically, it remains disabled in the Grafana configuration file located at /etc/grafana/grafana.ini within the Azure AD section. Even if someone were to enable Azure Active Directory access, they retain the option to easily revert it back to the default state, ensuring it remains disabled.
Меры по смягчению последствий
We recommend disabling Active Directory in the Grafana configuration file until a fix is provided.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 2 | grafana | Not affected | ||
| OpenShift Service Mesh 2.1 | servicemesh-grafana | Out of support scope | ||
| Red Hat Ceph Storage 3 | grafana | Not affected | ||
| Red Hat Ceph Storage 4 | rhceph/rhceph-4-dashboard-rhel8 | Not affected | ||
| Red Hat Ceph Storage 5 | rhceph/rhceph-5-dashboard-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | grafana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-grafana | Not affected | ||
| Red Hat Storage 3 | grafana | Not affected | ||
| Red Hat Ceph Storage 7.1 | ceph | Fixed | RHSA-2024:3925 | 14.06.2024 |
| Red Hat Enterprise Linux 8 | grafana | Fixed | RHSA-2023:6972 | 14.11.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.
Grafana is validating Azure AD accounts based on the email claim. On ...
Grafana vulnerable to Authentication Bypass by Spoofing
EPSS
9.8 Critical
CVSS3