CVE-2024-21381

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.

How does the update address this vulnerability?

As part of Azure AD Business-to-Customer's (B2C) ongoing commitment to our customers, we recently rolled out an update to our behavior for the Proof Key for Code Exchange (PKCE) as outlined in our documentation here. This update adds additional enforcement on B2C’s /token endpoint – requiring that code redemption attempts that include the PKCE code_verifier parameter must also include an authorization code that was originally opted-in to PKCE behavior via the code_challenge parameter.

In effect, this change reduces the possibility for attackers to send fraudulent authorization codes to your consuming service, and is aligned with the “OAuth 2.0 Security Best Current Practice” document here.

What actions do customers need to take to protect themselves from this vulnerability?

The vast majority of customers have received the update automatically and do not need to take any action to update their applications. A small subset of customers are required to take an action and have been notified directly via Azure Service Health Alerts under Tracking ID: 6MFP-NTZ. If you did not receive this notification, there is no action required.