CVE-2023-3128: 
Grafana vulnerability analysis and mitigation

CVE-2023-3128 is a critical authentication bypass vulnerability discovered in Grafana that affects versions 6.7.0 through 8.5.26, 9.2.0 through 9.2.19, and other versions prior to their respective patches. The vulnerability was disclosed on June 22, 2023, and impacts Grafana installations that use Azure AD OAuth configured with a multi-tenant application (Grafana Advisory, NVD).

The vulnerability stems from Grafana's implementation of Azure AD OAuth authentication, where user validation is based solely on the email claim. Since the profile email field in Azure AD is not unique across tenants and can be easily modified, this creates a security weakness. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature (NVD).

Successful exploitation of this vulnerability allows attackers to perform account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. An attacker can gain complete control of a user's account, including access to private customer data and sensitive information. The vulnerability also bypasses the 'allowed_domains' configuration which should limit access to users belonging to specific domains (GitHub Advisory).

The vulnerability has been patched in Grafana versions 10.0.1, 9.5.5, 9.4.13, 9.3.16, 9.2.20, and 8.5.27. For systems where immediate upgrade is not possible, mitigation options include adding an allowed_groups configuration to Azure AD setup or registering a single tenant application in Azure AD instead of a multi-tenant one (Security Online).