x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875

GoVulnBot · 2023-06-28T00:01:14Z

In GitHub Security Advisory GHSA-mpv3-g8m3-3fjc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/grafana/grafana	8.5.27	< 8.5.27

Cross references:

Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342 NOT_IMPORTABLE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934 NOT_IMPORTABLE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673 NOT_A_VULNERABILITY
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680 NOT_GO_CODE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/grafana/grafana
      versions:
        - fixed: 8.5.27
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.0.0
          fixed: 9.2.20
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.3.0
          fixed: 9.3.16
      packages:
        - package: github.com/grafana/grafana
    - module: github.com/grafana/grafana
      versions:
        - introduced: 9.4.0
          fixed: 9.4.13
      packages:
        - package: github.com/grafana/grafana
summary: Grafana vulnerable to Authentication Bypass by Spoofing
description: |-
    Grafana is validating Azure AD accounts based on the email claim.

    On Azure AD, the profile email field is not unique and can be easily modified.

    This leads to account takeover and authentication bypass when Azure AD OAuth is
    configured with a multi-tenant app.
cves:
    - CVE-2023-3128
ghsas:
    - GHSA-mpv3-g8m3-3fjc
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2023-3128
    - web: https://grafana.com/security/security-advisories/cve-2023-3128/
    - web: https://github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.md
    - advisory: https://github.com/advisories/GHSA-mpv3-g8m3-3fjc

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-07-05T16:40:39Z

Change https://go.dev/cl/507896 mentions this issue: data/excluded: batch add 10 excluded reports

gopherbot · 2023-07-05T18:45:17Z

Change https://go.dev/cl/507901 mentions this issue: data/excluded: batch add 8 excluded reports

gopherbot · 2023-07-05T20:45:51Z

Change https://go.dev/cl/507904 mentions this issue: data/excluded: batch add 8 excluded reports

gopherbot · 2024-06-14T17:44:03Z

Change https://go.dev/cl/592761 mentions this issue: data/reports: unexclude 75 reports

tatianab self-assigned this Jun 28, 2023

tatianab added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Jun 28, 2023

gopherbot closed this as completed in 67babcd Jul 6, 2023

GoVulnBot mentioned this issue Jul 25, 2023

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964

Closed

GoVulnBot mentioned this issue Oct 17, 2023

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120

Closed

GoVulnBot mentioned this issue Feb 13, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3hv4-r2fm-h27f #2551

Closed

GoVulnBot mentioned this issue Mar 7, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-5mxf-42f5-j782 #2629

Closed

GoVulnBot mentioned this issue Mar 27, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mh7p-8m2f-qrm6 #2662

Closed

GoVulnBot mentioned this issue Apr 5, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-67rv-qpw2-6qrr #2697

Closed

GoVulnBot mentioned this issue Aug 20, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

Closed

This was referenced Oct 25, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-q99m-qcv4-fpm7 #3215

Closed

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-66c4-2g2v-54qw #3240

Closed

GoVulnBot mentioned this issue Jan 31, 2025

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wxcc-2f3q-4h58 #3438

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875

GoVulnBot commented Jun 28, 2023

gopherbot commented Jul 5, 2023

gopherbot commented Jul 5, 2023

gopherbot commented Jul 5, 2023

gopherbot commented Jun 14, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875

Comments

GoVulnBot commented Jun 28, 2023

gopherbot commented Jul 5, 2023

gopherbot commented Jul 5, 2023

gopherbot commented Jul 5, 2023

gopherbot commented Jun 14, 2024