CVE-2023-3128 Report - Details, Severity, & Advisories
Twingate Team
•
Jun 28, 2024

What is CVE-2023-3128?
CVE-2023-3128 is a critical vulnerability affecting Grafana software with Azure AD OAuth configured with a multi-tenant app. This vulnerability allows attackers to bypass authentication and take over accounts due to a flaw in Grafana's implementation of Azure AD OAuth. Systems using Grafana and Azure AD OAuth with a multi-tenant app are at risk, including multiple NetApp products that incorporate Grafana. It is essential for organizations to update their software to patched versions to mitigate the risk of unauthorized access and potential data breaches.
Who is impacted by CVE-2023-3128?
The CVE-2023-3128 vulnerability affects users of Grafana software who have configured Azure AD OAuth with a multi-tenant app, including those using multiple NetApp products that incorporate Grafana. The impacted versions include Grafana and Grafana Enterprise versions 6.7.0 to 8.5.26, 9.2.0 to 9.2.19, 9.3.0 to 9.3.15, 9.4.0 to 9.4.12, and 9.5.0 to 9.5.3. This vulnerability could lead to unauthorized access and potential data breaches, so it's essential to be aware of the affected software versions and take necessary precautions.
What to do if CVE-2023-3128 affected you
If you're affected by the CVE-2023-3128 vulnerability, it's crucial to take action to secure your systems. Follow these simple steps:
- Update Grafana to the patched versions: 9.5.4, 9.4.13, 9.3.16, or 8.5.27. 
- Review and monitor access logs for suspicious activity. 
- Revoke and reissue any compromised access tokens or credentials. 
- Ensure the email claim in Azure AD is unique and not easily modified. 
- Implement additional security measures, such as multi-factor authentication. 
Is this in CISA’s Known Exploited Vulnerabilities Catalog?
The CVE-2023-3128 vulnerability in Grafana is not listed in CISA's Known Exploited Vulnerabilities Catalog. This vulnerability, known as Authentication Bypass by Spoofing, was added on June 22, 2023.
Weakness Enumeration
The weakness enumeration for this vulnerability is categorized as CWE-290, which involves authentication bypass by spoofing in Grafana's implementation of Azure AD OAuth.
Learn More
To better understand the vulnerability, its severity, and potential mitigation strategies, refer to the NVD page and the sources listed below.
Rapidly implement a modern Zero Trust network that is more secure and maintainable than VPNs.
Solutions