Strix
26.1K

CVE-2019-1258

UnknownEPSS 3.80%

Last modified

CVE-2019-1258 is a vulnerability of currently unknown severity. An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.. EPSS estimates a 3.80% chance of exploitation in the next 30 days.

Description

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.

Metrics

EPSS Probability
3.80%

88.6th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

VendorProductVersionsUpdate
MicrosoftActive Directory Authentication Library>= 5.0.5, < 5.2.0
MicrosoftActive Directory Authentication Library5.0.0Preview
MicrosoftActive Directory Authentication Library5.0.1Preview
MicrosoftActive Directory Authentication Library5.0.2Preview
MicrosoftActive Directory Authentication Library5.0.3Preview
MicrosoftNuget5.2.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-1258?
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.
How severe is CVE-2019-1258?
Severity scoring for CVE-2019-1258 is pending analysis. The EPSS model estimates a 3.80% probability of exploitation in the next 30 days.
How do I fix CVE-2019-1258?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-1258?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST