CVE-2019-1258
8.8
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD
Description
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
Affected (6)
Products: Microsoft: Active Directory Authentication Library, Nuget
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| From 5.0.5 to 5.2.0 | |
| Version 5.2.0 |
References (2)
Source: secure@microsoft.com
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Timeline (9)
2/20/20261 change
CVE Modified - Description
09:18 PM
- An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
+ An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
11/21/20241 change
CVE Modified - Reference
04:36 AM
- -
+ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258
5/29/20241 change
CVE Modified - Description
05:16 PM
- An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.
+ An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
8/24/20201 change
CWE Remap - CWE
05:37 PM
- CWE-264
+ NVD-CWE-noinfo
8/22/20195 changes
Initial Analysis - CPE Configuration
04:29 PM
- -
+ OR
*cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.0:preview:*:*:*:.net:*:*
*cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.1:preview:*:*:*:.net:*:*
*cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.2:preview:*:*:*:.net:*:*
*cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.3:preview:*:*:*:.net:*:*
*cpe:2.3:a:microsoft:active_directory_authentication_library:*:*:*:*:*:.net:*:* versions from (including) 5.0.5 up to (excluding) 5.2.0
*cpe:2.3:a:microsoft:nuget:5.2.0:*:*:*:*:*:*:*
Initial Analysis - CWE
04:29 PM
- -
+ CWE-264
Initial Analysis - Reference Type
04:29 PM
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258 No Types Assigned
+ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258 Patch, Vendor Advisory
Initial Analysis - CVSS V3
04:29 PM
- -
+ AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Initial Analysis - CVSS V2
04:29 PM
- -
+ (AV:N/AC:L/Au:S/C:P/I:P/A:P)