Описание
Azure Active Directory Authentication Library Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
Меры по смягчению последствий
The recommended mitigation for this vulnerability is to follow one cache per account while implementing ADAL On-Behalf-Of Flow.
See https://aka.ms/adal-net-cache-serialization-web-app-web-api for more information.
FAQ
| References | Identification |
|---|---|
| Last version of the ADAL Library affected by this vulnerability | 5.1.1 |
| First version of the ADAL Library affected by this vulnerability | 5.0.0 Preview |
| First version of the ADAL Library with this vulnerability addressed | 5.2.0 |
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Nuget 5.2.0 | ||
| ADAL.NET |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
Vulnerability in Azure Active Directory Authentication Library
Уязвимость библиотеки ADAL.NET операционных систем Windows, позволяющая нарушителю повысить свои привилегии
EPSS