CVE-2024-35255
published 2024-06-11CVE-2024-35255: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
PriorityP426medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.79%
51.6th percentile
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| azure | identity | >= 0 < 4.2.1 | 4.2.1 |
| azure | msal-node | >= 2.7.0 < 2.9.2 | 2.9.2 |
| github.com | azure_azure-sdk-for-go_sdk_azidentity | >= 0 < 1.6.0-beta.4.0.20240610221955-50774cd97099 | 1.6.0-beta.4.0.20240610221955-50774cd97099 |
| github.com | azure_azure-sdk-for-go_sdk_azidentity | >= 0 < 1.6.0 | 1.6.0 |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.5 | 2.11.5 |
| github.com | traefik_traefik_v3 | >= 0 < 3.0.3 | 3.0.3 |
| microsoft | authentication_library | < 1.15.1 | 1.15.1 |
| microsoft | authentication_library | < 4.61.3 | 4.61.3 |
| microsoft | authentication_library | <= 2.9.2 | — |
| microsoft | azure_identity_library | >= 1.0.0 < 1.6.0 | 1.6.0 |
| microsoft | azure_identity_library_for_c | >= 1.0.0 < 1.8.0 | 1.8.0 |
| microsoft | azure_identity_library_for_java | >= 1.0.0 < 1.12.2 | 1.12.2 |
| microsoft | azure_identity_library_for_javascript | >= 1.0.0 < 4.2.1 | 4.2.1 |
| microsoft | azure_identity_library_for_net | >= 1.0.0 < 1.11.4 | 1.11.4 |
| microsoft | azure_identity_library_for_python | >= 1.0.0 < 1.16.1 | 1.16.1 |
| microsoft | azure_identity_sdk | < 1.6.0 | 1.6.0 |
| microsoft | azure_identity_sdk | < 1.8.0 | 1.8.0 |
| microsoft | azure_identity_sdk | < 1.11.4 | 1.11.4 |
| microsoft | azure_identity_sdk | < 1.12.2 | 1.12.2 |
| microsoft | azure_identity_sdk | < 1.16.1 | 1.16.1 |
| microsoft | azure_identity_sdk | < 4.2.1 | 4.2.1 |
| microsoft | microsoft_authentication_library | >= 1.0.0 < 1.15.1 | 1.15.1 |
| msrc | azure_identity_library_for_c | — | — |
| msrc | azure_identity_library_for_go | — | — |
| msrc | azure_identity_library_for_java | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ghsa5.5MEDIUM
osv5.5MEDIUM
vendor_msrc5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
vendor_redhat·2024-07-01·CVSS 5.5
CVE-2024-35255 [MEDIUM] CWE-362 azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
A flaw was found in Microsoft's Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition—a scenario where the timing of events leads to unexpected behavior—during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this
Microsoft
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
vendor_msrc·2024-06-11·CVSS 5.5
CVE-2024-35255 [MEDIUM] CWE-362 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability?
An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions.
FAQ: According to the CVSS metric, Integrity and Availability impact is None (I:N/A:N). What does that mean for this vulnerability?
An attacker who successfully exploits this vulnerability can only obtain read access to the system files by exploiting this vulnerability. The attacker cannot perform write or delete operations on the files.
FAQ: Which credential types provided by the Azure Identity client library are affected?
The vulnerability exi
OSV
Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
osv·2024-07-01
CVE-2024-35255 Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
OSV
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
osv·2024-06-20·CVSS 5.5
CVE-2024-35255 [MEDIUM] ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
### Impact
There is a vulnerability in [Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-35255).
### References
- [CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.5
- https://github.com/traefik/traefik/releases/tag/v3.0.3
### Workarounds
No workaround.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
GHSA
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
ghsa·2024-06-20·CVSS 5.5
CVE-2024-35255 [MEDIUM] CWE-362 ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability
### Impact
There is a vulnerability in [Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-35255).
### References
- [CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255)
### Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.5
- https://github.com/traefik/traefik/releases/tag/v3.0.3
### Workarounds
No workaround.
### For more information
If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).
OSV
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
osv·2024-06-11
CVE-2024-35255 [MEDIUM] Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
GHSA
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
ghsa·2024-06-11
CVE-2024-35255 [MEDIUM] CWE-362 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2024-35255 azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
bugzilla·2024-07-01·CVSS 5.5
CVE-2024-35255 [MEDIUM] CVE-2024-35255 azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
CVE-2024-35255 azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Discussion:
This issue has been addressed in the following products:
Red Hat build of Apache Camel for Quarkus 2.13
Via RHSA-2024:7052 https://access.redhat.com/errata/RHSA-2024:7052
Trendmicro
The June 2024 Security Update Review
blogs_trendmicro·2024-06-11
The June 2024 Security Update Review
# The June 2024 Security Update Review
Get the June 2024 security update and review.
By: Dustin Childs
2024/06/11
Read time: ( words)
Save to Folio
Somehow, we’ve made it to the sixth patch Tuesday of 2024, and Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for June 2024
For June, Adobe released 10 patches addressing 165(!) CVEs in Adobe Cold Fusion, Photoshop, Experience Manager, Audition, Media Encoder, FrameMaker Publishing Server, Adobe Commerce, Substance 3D Stager, Creative Cloud Desktop, and Acrobat Android. The fix for Experience Ma
Trendmicro
The June 2024 Security Update Review
blogs_trendmicro·2024-06-11
The June 2024 Security Update Review
## The June 2024 Security Update Review
Get the June 2024 security update and review.
By: Dustin Childs 2024/06/11 Read time: ( words)
Save to Folio
Somehow, we’ve made it to the sixth patch Tuesday of 2024, and Microsoft and Adobe have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here:
Adobe Patches for June 2024
For June, Adobe released 10 patches addressing 165(!) CVEs in Adobe Cold Fusion, Photoshop, Experience Manager, Audition, Media Encoder, FrameMaker Publishing Server, Adobe Commerce, Substance 3D Stager, Creative Cloud Desktop, and Acrobat Android. The fix for Experience Ma
2024-06-11
Published