Lucene search

[email protected]CVE-2021-42306

HistoryNov 24, 2021 - 1:15 a.m.

CVE-2021-42306

2021-11-2401:15:08

CWE-522

[email protected]

web.nvd.nist.gov

azure

active directory

information disclosure

vulnerability

cve-2021-42306

nvd

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

6.3 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.6%

JSON

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application.
Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application.
Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information.
For more details on this issue, please refer to the MSRC Blog Entry.

Affected configurations

Vulners

NVD

Node

microsoftazure_automation

VendorProductVersionCPE
microsoftazure_automation*cpe:2.3:a:microsoft:azure_automation:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
microsoft	azure_automation	*	cpe:2.3:a:microsoft:azure_automation::::::::

CNA Affected

[
  {
    "vendor": "Microsoft",
    "product": "Azure Automation",
    "cpes": [
      "cpe:2.3:a:microsoft:azure_automation:-:*:*:*:*:*:*:*"
    ],
    "platforms": [
      "Unknown"
    ],
    "versions": [
      {
        "version": "1.0.0",
        "lessThan": "publication",
        "versionType": "custom",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Microsoft",
    "product": "Azure Active Directory",
    "cpes": [],
    "platforms": [
      "Unknown"
    ],
    "versions": [
      {
        "version": "N/A",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Microsoft",
    "product": "Azure Site Recovery",
    "cpes": [],
    "platforms": [
      "Unknown"
    ],
    "versions": [
      {
        "version": "N/A",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Microsoft",
    "product": "Azure Migrate",
    "cpes": [],
    "platforms": [
      "Unknown"
    ],
    "versions": [
      {
        "version": "N/A",
        "status": "affected"
      }
    ]
  }
]