grafana-10.0.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13018 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z grafana-10.0.1-1.1 on GA media These are all security issues fixed in the grafana-10.0.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13018 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13018 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-3128/ SUSE CVE CVE-2023-3128 page openSUSE Tumbleweed grafana-10.0.1-1.1 grafana-10.0.1-1.1 as a component of openSUSE Tumbleweed Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app. CVE-2023-3128 openSUSE Tumbleweed:grafana-10.0.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-3128.html CVE-2023-3128 https://bugzilla.suse.com/1212641 SUSE Bug 1212641