Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication.
Grafana is a widely used open-source analytics and interactive visualization app that offers extensive integration options with a wide range of monitoring platforms and applications.
Grafana Enterprise, the app’s premium version with additional capabilities, is used by well-known organizations such as Wikimedia, Bloomberg, JP Morgan Chase, eBay, PayPal, and Sony.
The discovered account takeover vulnerability is tracked as CVE-2023-3128 and received a CVSS v3.1 score of 9.4, rating it critical severity.
The bug is caused by Grafana authenticating Azure AD accounts based on the email address configured in the associated ‘profile email’ setting. However, this setting is not unique across all Azure AD tenants, allowing threat actors to create Azure AD accounts with the same email address as legitimate Grafana users and use them to hijack accounts.