Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-4030-01

Red Hat Security Advisory 2023-4030-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Packet Storm
#vulnerability#linux#red_hat#oauth#auth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: grafana security update
Advisory ID: RHSA-2023:4030-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4030
Issue date: 2023-07-12
CVE Names: CVE-2023-3128
=====================================================================

  1. Summary:

An update for grafana is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

  1. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor
for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

  • grafana: account takeover possible when using Azure AD OAuth
    (CVE-2023-3128)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2213626 - CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
grafana-9.0.9-3.el9_2.src.rpm

aarch64:
grafana-9.0.9-3.el9_2.aarch64.rpm
grafana-debuginfo-9.0.9-3.el9_2.aarch64.rpm
grafana-debugsource-9.0.9-3.el9_2.aarch64.rpm

ppc64le:
grafana-9.0.9-3.el9_2.ppc64le.rpm
grafana-debuginfo-9.0.9-3.el9_2.ppc64le.rpm
grafana-debugsource-9.0.9-3.el9_2.ppc64le.rpm

s390x:
grafana-9.0.9-3.el9_2.s390x.rpm
grafana-debuginfo-9.0.9-3.el9_2.s390x.rpm
grafana-debugsource-9.0.9-3.el9_2.s390x.rpm

x86_64:
grafana-9.0.9-3.el9_2.x86_64.rpm
grafana-debuginfo-9.0.9-3.el9_2.x86_64.rpm
grafana-debugsource-9.0.9-3.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2023-3128
https://access.redhat.com/security/updates/classification/#critical

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJkrlhbAAoJENzjgjWX9erEmqgP/08o++LnXE6gFFVoTMV8mv0X
aQ2K/92nc/40QClKKSPU6Emj1nq7+hI8TsROWUwuAnoSVUIUqJpRbjXp8VjeKVJA
v/OaPshsU2xkPy1IsxXgrMu0qftOt0yrkAiE8LRLdTi36WSrk1pR1DYhnXBpKVNv
6HdwSKdz/9lnCe4EMyimWIvYACsC6HkVR1pJ3ZvI9oN4MLCXvkxw64vKg4paQV63
DizfK894MZxUyoUNkV5poNr+N7JhmhDBLyTxM1LqJlbDPRo6zXQEGNuseDDNU5O9
gMEZ57ZS54DeweT6yvlomyQpoTMp8TuhBrI+hOol5SDQV+Z8k8QF1z0kVDrx4i63
U2gy1yKt0hTel9MXJ7M2MPLkleTxJxD0ZnWGhfun3ztkbA3EWnryv7739KfhyrAP
DoeSIuT2lHZC+TJyF3hHbYli2JfDQRlgLSiQSN6xtnOl6yW7qvyPQuyu2pCSRiWw
4w8ADz1yYymTLihqhy0KxU9F4avjDzhkF9aRVxzrAp9lesS0q9ntZ8PulXfXRNVX
VLJXFFHesy5I3hdL+TVDTyet5tZoDeYvvPHtCD4v6LS2wfMgTVCowphvDtoaDsm1
aDFB7oIxce7q5YcKXJ+cb+mgy8HcZ5ilSCX1wy9agIq+mfRrvrfNYkAeLobPvh93
M8arPhJhM7BKoFliAakK
=fiNF
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Red Hat Security Advisory 2024-3925-03

Red Hat Security Advisory 2024-3925-03 - An update is now available for Red Hat Ceph Storage 7.1.

Understanding the Red Hat security impact scale

Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp

RHSA-2023:4030: Red Hat Security Advisory: grafana security update

An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-3128: A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain com...

New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks

Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code. Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization. "A deserialization of untrusted data

GHSA-mpv3-g8m3-3fjc: Grafana vulnerable to Authentication Bypass by Spoofing

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

CVE-2023-3128: Grafana authentication bypass using Azure AD OAuth | Grafana Labs

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13