Grafana fixes critical flaws related to Azure AD
Take action: While you may not think Grafana is a big and important app to patch, it provides a login interface and public UI surface to be attacked. Review the advisory andtake action - either patch or reconfigure Azure AD to mitigate risks. Or just wait for a user account to be compromised ¯\_(ツ)_/¯
Learn More
Grafana, an open-source analytics and visualization app, has released patches for a critical security flaw hat could allow attackers to hijack accounts using Azure Active Directory for authentication.
CVE-2023-3128 - Base Score: 9.4 CRITICAL - the vulnerability originates from the email claim-based validation of Azure AD accounts and could lead to account takeovers and authentication bypasses, granting complete control over users' accounts and access to sensitive data.
Organizations are advised to upgrade to specific versions of Grafana. Patched versions or Grafana are:
- Grafana 10.0.1 or later;
- Grafana 9.5.5 or later;
- Grafana 9.4.13 or later;
- Grafana 9.3.16 or later;
- Grafana 9.2.20 or later;
- Grafana 8.5.27 or later
Workaround solution for organizations that can't upgrade are advised to perform single tenant application registration in Azure AD and create an "allowed_groups" configuration in Azure AD settings as mitigations.
