CVE-2019-1126

Published: Jul 15, 2019Modified: Nov 21, 2024

5.3

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0975.

Affected (5)

Products: Microsoft: Windows Server 2012, Windows Server 2016, Windows Server 2019

3 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Microsoft Windows Server 2012	Version r2
Microsoft Windows Server 2016	All versions
Microsoft Windows Server 2016	Version 1803
Microsoft Windows Server 2016	Version 1903
Microsoft Windows Server 2019	All versions

Related CWEs

CWE-307

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (2)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1126

Source: secure@microsoft.com

PatchVendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1126

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.