5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 Medium
AI Score
Confidence
High
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
8.7%
A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.
The problem has been patched in all affected versions. Please see the list of patched versions for the most appropriate one for your individual case.
Users who do not wish or are not able to upgrade can add an authentication configuration containing ClaimsValidator, which throws an exception if the Claims are Skill Claims.
For detailed instructions, see the link in the References section.
If you have any questions or comments about this advisory:
aka.ms/SkillClaimsValidationJavascript
github.com/microsoft/botbuilder-js
github.com/microsoft/botbuilder-js/security/advisories/GHSA-fvcj-hvfw-7f2v
nvd.nist.gov/vuln/detail/CVE-2021-1725
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1725
www.npmjs.com/package/botframework-connector
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.5 Medium
AI Score
Confidence
High
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
8.7%