CVE-2019-1258

5 documents5 sources

Severity

8.8HIGH

EPSS

10.6%

top 6.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Adal.net Microsoft Nuget 5.2.0 Microsoft Active Directory Authentication Library +1 more

Timeline

PublishedAug 14

Latest updateAug 16

Description

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of sc…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDmicrosoft/active_directory_authentication_library5.0.5 — 5.2.0+4

▶NuGetmicrosoft.identitymodel.clients.activedirectory5.0.0 — 5.2.0

▶CVEListV5microsoft/adal.net5.0.0 — publication

▶CVEListV5microsoft/nuget_5.2.05.0.0 — publication

▶NVDmicrosoft/nuget5.2.0

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

OSV

Vulnerability in Azure Active Directory Authentication Library↗2019-08-16

▶

GHSA

Vulnerability in Azure Active Directory Authentication Library↗2019-08-16

▶

CVEList

Azure Active Directory Authentication Library Elevation of Privilege Vulnerability↗2019-08-14

▶

📋Vendor Advisories

Microsoft

Azure Active Directory Authentication Library Elevation of Privilege Vulnerability↗2019-08-13

▶