Security
Headlines
HeadlinesLatestCVEs

Tag

#Azure SDK

CVE-2024-35255: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions.

Microsoft Security Response Center
#vulnerability#microsoft#auth#Azure SDK#Security Vulnerability
CVE-2024-29992: Azure Identity Library for .NET Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is data inside the targeted website like IDs, tokens, nonces, and other sensitive information. **Which credential types provided by the Azure Identity client library are affected?** The vulnerability exists in the following credential types: 1. DefaultAzureCredential 2. ManagedIdentityCredential

CVE-2024-21421: Azure SDK Spoofing Vulnerability

**What actions do customers need to take to protect themselves from this vulnerability?** Customers with deployments created prior to Oct 19. 2023 must manually upgrade azure-core to Azure Core Build 1.29.5 or higher to be protected. For information reference the following: https://azure.github.io/azure-sdk/releases/latest/index.html. Customers with deployments created after October 19, 2023 recieved the fix automatically and no action is needed.

CVE-2023-36414: Azure Identity SDK Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is network (AV:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution?** The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. The privilege requirement is low because the attacker needs to be authenticated as a normal user.

CVE-2023-36415: Azure Identity SDK Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is network (AV:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution?** The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. The privilege requirement is low because the attacker needs to be authenticated as a normal user.

CVE-2022-26907: Azure SDK for .NET Information Disclosure Vulnerability

**What information could be disclosed by this vulnerability?** This vulnerability could disclose sensitive information in exception body, which might include user access tokens.

CVE-2022-26907: Azure SDK for .NET Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** This vulnerability could disclose sensitive information in exception body, which might include user access tokens.