CVE-2024-35255: Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
First published: Tue Jun 11 2024(Updated: )
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Credit: secure@microsoft.com secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Azure Identity Library for .NET | ||
| Microsoft Authentication Library (MSAL) for Python | ||
| Microsoft Azure Identity Library for C++ | ||
| Microsoft Azure Identity Library for JavaScript | ||
| Microsoft Azure Identity Library for Go | ||
| Microsoft Azure Identity Library for Python | ||
| Microsoft Azure Identity Library for Java | ||
| nuget/Microsoft.Identity.Client | >=4.61.0<4.61.3 | 4.61.3 |
| nuget/Microsoft.Identity.Client | >=4.49.1<4.60.4 | 4.60.4 |
| maven/com.microsoft.azure:msal4j | >=1.14.4-beta<1.15.1 | 1.15.1 |
| npm/@azure/msal-node | >=2.7.0<2.9.2 | 2.9.2 |
| nuget/Azure.Identity | <1.11.4 | 1.11.4 |
| go/github.com/Azure/azure-sdk-for-go/sdk/azidentity | <1.6.0 | 1.6.0 |
| maven/com.azure:azure-identity | <1.12.2 | 1.12.2 |
| npm/@azure/identity | <4.2.1 | 4.2.1 |
| pip/azure-identity | <1.16.1 | 1.16.1 |
| Microsoft Authentication Library | ||
| Microsoft Authentication Library for Java | ||
| Microsoft Authentication Library for Java | ||
| Microsoft Authentication Library for Java | <1.15.1 | |
| Microsoft Authentication Library for Java | <=2.9.2 | |
| Microsoft Authentication Library .net | <4.61.3 | |
| Microsoft Azure Identity SDK for Go | <1.6.0 | |
| Microsoft Azure Identity SDK | <1.8.0 | |
| Microsoft Azure Identity SDK for .NET | <1.11.4 | |
| Microsoft Azure Identity SDK for Java | <1.12.2 | |
| Microsoft Azure Identity SDK for Python | <1.16.1 | |
| Microsoft Azure Identity SDK for JavaScript | <4.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2024-35255
- https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499
- https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492
- https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178
- https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d
- https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53
- https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340
- https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 (Advisory)
- https://access.redhat.com/errata/RHSA-2024:7052
- https://bugzilla.redhat.com/show_bug.cgi?id=2295081
Frequently Asked Questions
What is the severity of CVE-2024-35255?
CVE-2024-35255 is classified as an Elevation of Privilege Vulnerability affecting Azure Identity Libraries and Microsoft Authentication Library.
How do I fix CVE-2024-35255?
To mitigate CVE-2024-35255, update the affected Azure Identity Library or Microsoft Authentication Library to the latest patched version.
Which products are affected by CVE-2024-35255?
CVE-2024-35255 affects various products including Azure Identity Library for .NET, MSAL for Python, MSAL for Java, and more across multiple programming languages.
What vulnerabilities are associated with Azure Identity Libraries in CVE-2024-35255?
CVE-2024-35255 is specifically identified as an Elevation of Privilege Vulnerability within the Azure Identity Libraries and Microsoft Authentication Library.
When was CVE-2024-35255 disclosed?
CVE-2024-35255 was disclosed publicly by Microsoft as part of their security vulnerability updates.
- agent/title
- agent/type
- collector/msrc-cve
- source/Microsoft
- agent/software-canonical-lookup
- agent/first-publish-date
- agent/software-canonical-lookup-request
- agent/weakness
- agent/author
- collector/msrc
- agent/remedy
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m5vv-6r4h-3vj9
- alias/CVE-2024-35255
- collector/github-advisory
- agent/severity
- agent/references
- agent/event
- agent/description
- agent/trending
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- vendor/microsoft
- canonical/microsoft azure identity library for .net
- canonical/microsoft authentication library (msal) for python
- canonical/microsoft azure identity library for c++
- canonical/microsoft azure identity library for javascript
- canonical/microsoft azure identity library for go
- canonical/microsoft azure identity library for python
- canonical/microsoft azure identity library for java
- package-manager/nuget
- package-manager/maven
- package-manager/npm
- package-manager/go
- package-manager/pip
- canonical/microsoft authentication library
- canonical/microsoft authentication library for java
- version/microsoft authentication library for java/2.9.2
- canonical/microsoft authentication library .net
- canonical/microsoft azure identity sdk for go
- canonical/microsoft azure identity sdk
- canonical/microsoft azure identity sdk for .net
- canonical/microsoft azure identity sdk for java
- canonical/microsoft azure identity sdk for python
- canonical/microsoft azure identity sdk for javascript