Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:rpm/redhat/grafana@9.2.10-7?arch=el8_9

Type rpm

Namespace redhat

Name grafana

Version 9.2.10-7

Qualifiers

arch	el8_9

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url

VCID-z7wb-tvk2-myhr

vulnerability_id

VCID-z7wb-tvk2-myhr

summary

Grafana vulnerable to Authentication Bypass by Spoofing
Grafana is validating Azure AD accounts based on the email claim. 

On Azure AD, the profile email field is not unique and can be easily modified. 

This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3128.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3128.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-3128

reference_id

reference_type

scores

value	0.01879
scoring_system	epss
scoring_elements	0.83099
published_at	2026-04-04T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83146
published_at	2026-04-11T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83129
published_at	2026-04-09T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83122
published_at	2026-04-08T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83086
published_at	2026-04-02T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83097
published_at	2026-04-07T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83199
published_at	2026-04-24T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83177
published_at	2026-04-21T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83173
published_at	2026-04-18T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.83136
published_at	2026-04-13T12:55:00Z

value	0.01879
scoring_system	epss
scoring_elements	0.8314
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-3128

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-06T15:26:35Z/

url

https://github.com/grafana/bugbounty/security/advisories/GHSA-gxh2-6vvc-rrgp

reference_url

https://github.com/grafana/grafana

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/grafana/grafana

reference_url

https://github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.md

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/grafana/grafana/blob/69fc4e6bc0be2a82085ab3885c2262a4d49e97d8/CHANGELOG.md

reference_url

https://grafana.com/security/security-advisories/cve-2023-3128

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://grafana.com/security/security-advisories/cve-2023-3128

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-3128

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-3128

reference_url

https://security.netapp.com/advisory/ntap-20230714-0004

reference_id

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230714-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2213626
reference_id	2213626
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2213626

reference_url

https://grafana.com/security/security-advisories/cve-2023-3128/

reference_id

cve-2023-3128

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-06T15:26:35Z/

url

https://grafana.com/security/security-advisories/cve-2023-3128/

reference_url

https://security.netapp.com/advisory/ntap-20230714-0004/

reference_id

ntap-20230714-0004

reference_type

scores

value	9.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-06T15:26:35Z/

url

https://security.netapp.com/advisory/ntap-20230714-0004/

reference_url	https://access.redhat.com/errata/RHSA-2023:4030
reference_id	RHSA-2023:4030
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:4030

reference_url	https://access.redhat.com/errata/RHSA-2023:6972
reference_id	RHSA-2023:6972
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6972

reference_url	https://access.redhat.com/errata/RHSA-2024:3925
reference_id	RHSA-2024:3925
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3925

fixed_packages

aliases

CVE-2023-3128, GHSA-mpv3-g8m3-3fjc

risk_score

4.5

exploitability

0.5

weighted_severity

9.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-z7wb-tvk2-myhr

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-7%3Farch=el8_9

Package Instance