Vulnerability Details : CVE-2014-6331
Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability."
Vulnerability category: Information leak
Products affected by CVE-2014-6331
- cpe:2.3:a:microsoft:active_directory_federation_services:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:active_directory_federation_services:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:active_directory_federation_services:3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-6331
33.60%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-6331
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-6331
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-6331
-
http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-november-2014-security-updates.aspx
Assessing Risk for the November 2014 Security Updates – Microsoft Security Response CenterVendor Advisory
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-077
Microsoft Security Bulletin MS14-077 - Important | Microsoft Docs
-
http://www.securitytracker.com/id/1031195
Microsoft Active Directory Federation Services Logout Failure Lets Local Users Access the Target User's Account - SecurityTracker
-
http://www.securityfocus.com/bid/70938
Microsoft Active Directory Federation Services CVE-2014-6331 Information Disclosure Vulnerability
Jump to