Miggo Logo
Miggo Vulnerability Database
CVE-2023-3128

CVE-2023-3128: Grafana vulnerable to Authentication Bypass by Spoofing

9.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-3128
GHSA ID
GHSA-mpv3-g8m3-3fjc
EPSS Score
0.79516%
CWE
CWE-290
Published
6/22/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/grafanago>= 9.4.0, < 9.4.139.4.13
github.com/grafana/grafanago>= 9.3.0, < 9.3.169.3.16
github.com/grafana/grafanago>= 9.0.0, < 9.2.209.2.20
github.com/grafana/grafanago< 8.5.278.5.27

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using Azure AD's mutable email claim for authentication instead of the immutable subject (sub) identifier. The primary vulnerable function would be in the Azure AD OAuth handler where user identity is established. While exact code isn't shown, Grafana's architecture patterns suggest the UserInfo method in AzureADProvider would handle claim extraction, and SocialBase would contain generic OAuth claim processing logic. The high confidence for AzureADProvider comes from Microsoft's explicit guidance against email-based identification, while the SocialBase function gets medium confidence as it's a common pattern in OAuth implementations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r***n* is v*li**tin* *zur* ** ***ounts **s** on t** *m*il *l*im. On *zur* **, t** pro*il* *m*il *i*l* is not uniqu* *n* **n ** **sily mo*i*i**. T*is l***s to ***ount t*k*ov*r *n* *ut**nti**tion *yp*ss w**n *zur* ** O*ut* is *on*i*ur** wit* * mul

Reasoning

T** vuln*r**ility st*ms *rom usin* *zur* **'s mut**l* *m*il *l*im *or *ut**nti**tion inst*** o* t** immut**l* su*j**t (su*) i**nti*i*r. T** prim*ry vuln*r**l* `*un*tion` woul* ** in t** *zur* ** O*ut* **n*l*r w**r* us*r i**ntity is *st**lis***. W*il*