Security News > 2023 > June > Grafana warns of critical auth bypass due to Azure AD integration

Grafana warns of critical auth bypass due to Azure AD integration
2023-06-24 15:18

Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication.

Grafana is a widely used open-source analytics and interactive visualization app that offers extensive integration options with a wide range of monitoring platforms and applications.

This setting is not unique across all Azure AD tenants, allowing threat actors to create Azure AD accounts with the same email address as legitimate Grafana users and use them to hijack accounts.

"This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application," reads Grafana's advisory.

The issue impacts all Grafana deployments configured to use Azure AD OAuth for user authentication with a multi-tenant Azure application and without restrictions on which user groups can authenticate.

Microsoft fixes Azure AD auth flaw enabling account takeover.


News URL

https://www.bleepingcomputer.com/news/security/grafana-warns-of-critical-auth-bypass-due-to-azure-ad-integration/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Grafana 11 4 41 30 6 81