CVE-2021-42306

CWE-522Insufficiently Protected CredentialsCWE-668Exposure to Wrong Sphere4 documents4 sources
Severity
6.5MEDIUM
EPSS
8.5%
top 7.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Microsoft Azure AutomationMicrosoft Azure Active DirectoryMicrosoft Azure Active Site Recovery+2 more
Timeline
PublishedNov 24
Latest updateNov 25

Description

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages8 packages

NVDmicrosoft/azure_migrate< 2021-11-02
CVEListV5microsoft/azure_automation1.0.0publication
NVDmicrosoft/azure_automation< 2021-10-15

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-vxjx-p5m9-q5fr: Azure Active Directory Information Disclosure Vulnerability2021-11-25
CVEList
Azure Active Directory Information Disclosure Vulnerability2021-11-24

📋Vendor Advisories

1
Microsoft
Azure Active Directory Information Disclosure Vulnerability2021-11-09
CVE-2021-42306 (MEDIUM CVSS 6.5) | An information disclosure vulnerabi | cvebase.io