{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35255", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2024-05-14T20:14:47.411Z", "datePublished": "2024-06-11T16:59:47.754Z", "dateUpdated": "2024-12-31T19:37:41.856Z"}, "containers": {"cna": {"title": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "datePublic": "2024-06-11T07:00:00+00:00", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_.net:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.11.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:microsoft_authentication_library_for_java:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.15.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_identity_sdk_for_go:*:*:*:*:*:-:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.6.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_java:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.12.2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "4.2.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_c_plus_plus:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.8.0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_python:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.16.1"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Identity Library for .NET", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "1.11.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Microsoft Authentication Library", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "1.15.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure Identity Library", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "1.6.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure Identity Library for Java", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "1.12.2", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure Identity Library for JavaScript", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "4.2.1", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure Identity Library for C++", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "1.8.0", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Azure Identity Library for Python", "platforms": ["Unknown"], "versions": [{"version": "1.0.0", "lessThan": "1.16.1", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "lang": "en-US", "type": "CWE", "cweId": "CWE-362"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-12-31T19:37:41.856Z"}, "references": [{"name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-13T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-35255"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-14T03:55:56.287Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.822Z"}, "title": "CVE Program Container", "references": [{"name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "x_transferred"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255", "name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:07:46.822Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-35255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-11T18:48:03.183092Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T18:48:07.726Z"}}], "cna": {"title": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Identity Library for .NET", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.11.4", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Microsoft Authentication Library", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.15.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Azure Identity Library", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.6.0", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Azure Identity Library for Java", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.12.2", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Azure Identity Library for JavaScript", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "4.2.1", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Azure Identity Library for C++", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.8.0", "versionType": "custom"}], "platforms": ["Unknown"]}, {"vendor": "Microsoft", "product": "Azure Identity Library for Python", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.16.1", "versionType": "custom"}], "platforms": ["Unknown"]}], "datePublic": "2024-06-11T07:00:00+00:00", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255", "name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_.net:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.11.4", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:microsoft_authentication_library_for_java:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.15.1", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk_for_go:*:*:*:*:*:-:*:*", "vulnerable": true, "versionEndExcluding": "1.6.0", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_java:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.12.2", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.2.1", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_c_plus_plus:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.8.0", "versionStartIncluding": "1.0.0"}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_library_for_python:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.16.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-12-31T19:37:41.856Z"}}}, "cveMetadata": {"cveId": "CVE-2024-35255", "state": "PUBLISHED", "dateUpdated": "2024-12-31T19:37:41.856Z", "dateReserved": "2024-05-14T20:14:47.411Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2024-06-11T16:59:47.754Z", "assignerShortName": "microsoft"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:java:*:*", "matchCriteriaId": "1F13542D-538A-47C1-9BD1-9E0D5CBCE26B", "versionEndExcluding": "1.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "F7C63AFB-7B70-45A6-A9F2-83B413A83951", "versionEndIncluding": "2.9.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:.net:*:*", "matchCriteriaId": "3C2C72F0-370B-40C9-BE59-003759D8075D", "versionEndExcluding": "4.61.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:go:*:*", "matchCriteriaId": "4747CC36-3E5B-40E3-A955-75044682B9B7", "versionEndExcluding": "1.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:c\\+\\+:*:*", "matchCriteriaId": "E994EFF7-09AC-4979-A37B-5030C56F0F70", "versionEndExcluding": "1.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:.net:*:*", "matchCriteriaId": "1D1BABF5-442F-4A95-A608-DEF21245930F", "versionEndExcluding": "1.11.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:java:*:*", "matchCriteriaId": "2EDF4F14-5A4B-4EA4-B1DA-6E3779BF4F8A", "versionEndExcluding": "1.12.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:python:*:*", "matchCriteriaId": "4D509315-188D-403A-B9DC-1104958834F1", "versionEndExcluding": "1.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:javascript:*:*", "matchCriteriaId": "9BC2D3A8-759D-4BBC-AA63-45D7A52EF907", "versionEndExcluding": "4.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de elevaci\u00f3n de privilegios en las librer\u00edas de identidad de Azure y la librer\u00eda de autenticaci\u00f3n de Microsoft"}], "id": "CVE-2024-35255", "lastModified": "2024-11-21T09:20:01.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2024-06-11T17:16:03.550", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "secure@microsoft.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:7052", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "com.azure/azure-identity", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHBA-2024:7523", "cpe": "cpe:/a:redhat:rhdh:1.3::el9", "package": "rhdh/rhdh-hub-rhel9:1.3-100", "product_name": "Red Hat Developer Hub 1.3 on RHEL 9", "release_date": "2024-10-02T00:00:00Z"}, {"advisory": "RHSA-2025:0536", "cpe": "cpe:/a:redhat:cert_manager:1.15::el9", "package": "registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9:sha256:49940e94193b06df5f5ff454aeb38a8b9a44e99b02d54600cb2442f81ff6dc25", "product_name": "cert-manager operator for Red Hat OpenShift 1.15", "release_date": "2025-01-21T00:00:00Z"}, {"advisory": "RHSA-2025:0536", "cpe": "cpe:/a:redhat:cert_manager:1.15::el9", "package": "registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9:sha256:df96fa00709d2ff36b7b9d7977eb18aad4c3b3c93862e5babbfa76001353a3e8", "product_name": "cert-manager operator for Red Hat OpenShift 1.15", "release_date": "2025-01-21T00:00:00Z"}], "bugzilla": {"description": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity", "id": "2295081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "details": ["Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "A flaw was found in Microsoft's Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition\u2014a scenario where the timing of events leads to unexpected behavior\u2014during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks."], "name": "CVE-2024-35255", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "aap-cloud-metrics-collector-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-minimal-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-25/ansible-builder-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-25/ee-cloud-services-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "com.azure/azure-identity", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "com.azure/azure-identity", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Will not fix", "package_name": "com.azure/azure-identity", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh-operator-container", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "com.azure/azure-identity", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Not affected", "package_name": "odf4/mcg-core-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2024-07-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-35255\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35255\nhttps://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499\nhttps://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340\nhttps://github.com/advisories/GHSA-m5vv-6r4h-3vj9\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255"], "threat_severity": "Moderate"}