Authentication Bypass in Microsoft Azure Active Directory Passport for Node.js
CVE-2016-7191

8.1HIGH

Key Information:

Vendor
Microsoft
Status
Azure Active Directory Passport
Vendor
CVE Published:
28 September 2016

Summary

The Microsoft Azure Active Directory Passport library, utilized in Node.js applications, suffers from a serious authentication bypass issue. Versions 1.x prior to 1.4.6 and 2.x prior to 2.0.1 do not properly recognize the 'validateIssuer' setting. This oversight enables remote attackers to exploit crafted tokens, bypassing standard authentication mechanisms and potentially gaining unauthorized access to sensitive application resources.

References

https://github.com/AzureAD/passport-azure-ad/blob/master/...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1036996
vdb-entryx_refsource_SECTRACK
https://support.microsoft.com/kb/3187742
vendor-advisoryx_refsource_MSKB

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.