CVE-2021-42306

Name: CVE-2021-42306
Creator: NVD / NIST
Published: 2021-11-24T01:15:08.363+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10EPSS 3.08%

Last modified Jun 17, 2026

CVE-2021-42306 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. EPSS estimates a 3.08% chance of exploitation in the next 30 days.

Description

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Probability

3.08%

86.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-522

Affected Software

Vendor	Product	Versions
Microsoft	Azure Active Directory	< 2021-10-30
Microsoft	Azure Active Site Recovery	< 2021-11-01
Microsoft	Azure Automation	< 2021-10-15
Microsoft	Azure Migrate	< 2021-11-02

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306Patch, Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306Patch, Vendor Advisory

Timeline

Published: Nov 24, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-42306?

How severe is CVE-2021-42306?

CVE-2021-42306 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 3.08% probability of exploitation in the next 30 days.

How do I fix CVE-2021-42306?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-42306?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST