Azure Active Directory Information Disclosure Vulnerability
CVE-2021-42306

8.1HIGH

Key Information:

Vendor: Microsoft
Status: Azure Automation; Azure Active Directory; Azure Site Recovery; Azure Migrate
Vendor: CVE Published:; 24 November 2021

Summary

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.

Affected Version(s)

Azure Active Directory Unknown

Azure Automation Unknown 1.0.0

Azure Migrate Unknown

References

https://portal.msrc.microsoft.com/en-US/security-guidance...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 24, 2021
Vulnerability Reserved
Oct 12, 2021

Collectors

NVD DatabaseMitre Database