Cloud Security

Grafana fixes critical Azure AD-related flaw

Patches have been issued by open-source analytics and interactive visualization app Grafana for a critical security flaw, tracked as CVE-2023-3128, which could be exploited to hijack accounts leveraging Azure Active Directory for authentication, according to BleepingComputer. Grafana noted that the vulnerability stems from email claim-based validation of Azure AD accounts. "This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application. If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information," said Grafana in its advisory. Organizations have been recommended to upgrade to Grafana 10.0.1 or later; Grafana 9.5.5 or later; Grafana 9.4.13 or later; Grafana 9.3.16 or later; Grafana 9.2.20 or later; and Grafana 8.5.27 or later, but those that could not were advised to perform single tenant application registration in Azure AD and create an "allowed_groups" configuration in Azure AD settings as mitigations.

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds