Patches have been issued by open-source analytics and interactive visualization app Grafana for a critical security flaw, tracked as CVE-2023-3128, which could be exploited to hijack accounts leveraging Azure Active Directory for authentication, according to BleepingComputer.
Grafana noted that the vulnerability stems from email claim-based validation of Azure AD accounts. "This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application. If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information," said Grafana in its advisory. Organizations have been recommended to upgrade to Grafana 10.0.1 or later; Grafana 9.5.5 or later; Grafana 9.4.13 or later; Grafana 9.3.16 or later; Grafana 9.2.20 or later; and Grafana 8.5.27 or later, but those that could not were advised to perform single tenant application registration in Azure AD and create an "allowed_groups" configuration in Azure AD settings as mitigations.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news