Vulnerability Details : CVE-2019-1258
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
Vulnerability category: Gain privilege
Products affected by CVE-2019-1258
- cpe:2.3:a:microsoft:nuget:5.2.0:*:*:*:*:*:*:*
- Microsoft » Active Directory Authentication Library » For .netVersions from including (>=) 5.0.5 and before (<) 5.2.0cpe:2.3:a:microsoft:active_directory_authentication_library:*:*:*:*:*:.net:*:*
- cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.1:preview:*:*:*:.net:*:*
- cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.2:preview:*:*:*:.net:*:*
- cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.3:preview:*:*:*:.net:*:*
- cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.0:preview:*:*:*:.net:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1258
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1258
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2019-1258
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258
CVE-2019-1258 | Azure Active Directory Authentication Library Elevation of Privilege VulnerabilityPatch;Vendor Advisory
Jump to