Lucene search

K

Veracode Vulnerability DatabaseVERACODE:47515

HistoryJun 13, 2024 - 9:06 a.m.

Privilege Escalation

2024-06-1309:06:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

10

azure

microsoft

privilege escalation

identity

authentication

vulnerability

tokens

keys

defaultazurecredential

managedidentitycredential

system privileges

filesystem

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0

Percentile

9.0%

Azure Identity and Microsoft Authentication are vulnerable to Privilege Escalation. The vulnerability is due to improper handling of tokens and keys within DefaultAzureCredential and ManagedIdentityCredential classes, allowing an attacker to elevate to SYSTEM privileges read arbitrary files on the filesystem.

References

github.com/advisories/GHSA-m5vv-6r4h-3vj9

github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499

github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d

github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492

github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53

github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0

Percentile

9.0%

Related for VERACODE:47515

osv139 vulnrichment1 gitlab2 redhatcve1 github2 nessus5 cbl_mariner3 freebsd1 mscve1 cve1 cvelist1 wolfi1 nvd1 ibm2 amazon1 redhat1 kaspersky1 rapid7blog1