What is CVE-2019-1258?

CVE-2019-1258 is a vulnerability in Azure Active Directory Authentication Library (ADAL) that allows an attacker to elevate their privileges.

What is the severity of CVE-2019-1258?

CVE-2019-1258 has a severity rating of 8.8 (high).

Which software is affected by CVE-2019-1258?

The affected software is Microsoft Active Directory Authentication Library (ADAL) versions 5.0.5 to 5.2.0 and Microsoft Nuget version 5.2.0.

How does CVE-2019-1258 work?

CVE-2019-1258 exploits the way Azure Active Directory Authentication Library (ADAL) caches tokens to gain elevated privileges.

Is there a fix for CVE-2019-1258?

Yes, Microsoft has released a security advisory with guidance on how to mitigate the CVE-2019-1258 vulnerability.

Vulnerability/
CVE-2019-1258

high

8.8

14/8/2019

16/8/2019

4/8/2024

CVE-2019-1258: Azure Active Directory Authentication Library Elevation of Privilege Vulnerability

First published: Wed Aug 14 2019(Updated: )

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

Credit: secure@microsoft.com secure@microsoft.com

Affected Software	Affected Version	How to fix
Microsoft Active Directory Authentication Library	>=5.0.5<5.2.0
Microsoft Active Directory Authentication Library	=5.0.0-preview
Microsoft Active Directory Authentication Library	=5.0.1-preview
Microsoft Active Directory Authentication Library	=5.0.2-preview
Microsoft Active Directory Authentication Library	=5.0.3-preview
Microsoft Nuget	=5.2.0
nuget/microsoft.identitymodel.clients.activedirectory	>=5.0.0<=5.1.1	5.2.0

Remedy

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-1258?
CVE-2019-1258 is a vulnerability in Azure Active Directory Authentication Library (ADAL) that allows an attacker to elevate their privileges.
What is the severity of CVE-2019-1258?
CVE-2019-1258 has a severity rating of 8.8 (high).
Which software is affected by CVE-2019-1258?
The affected software is Microsoft Active Directory Authentication Library (ADAL) versions 5.0.5 to 5.2.0 and Microsoft Nuget version 5.2.0.
How does CVE-2019-1258 work?
CVE-2019-1258 exploits the way Azure Active Directory Authentication Library (ADAL) caches tokens to gain elevated privileges.
Is there a fix for CVE-2019-1258?
Yes, Microsoft has released a security advisory with guidance on how to mitigate the CVE-2019-1258 vulnerability.

collector/nvd-index
agent/type
collector/mitre-cve
source/MITRE
agent/remedy
agent/title
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/author
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-xc6x-cq47-9chw
alias/CVE-2019-1258
agent/references
agent/last-modified-date
agent/severity
agent/softwarecombine
agent/event
collector/nvd-cve
agent/tags
collector/github-advisory
vendor/microsoft
canonical/microsoft active directory authentication library
version/microsoft active directory authentication library/5.0.5
version/microsoft active directory authentication library/5.0.0-preview
version/microsoft active directory authentication library/5.0.1-preview
version/microsoft active directory authentication library/5.0.2-preview
version/microsoft active directory authentication library/5.0.3-preview
canonical/microsoft nuget
version/microsoft nuget/5.2.0
package-manager/nuget