CVE-2021-40456: Windows AD FS Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Oct

Released

2021-10-12

EPSS Score

2.26% (percentile: 84.6%)

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? This vulnerability could allow an attacker to bypass ADFS BannedIPList entries for WS-Trust workflows.

Affected Products (6)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server, version 2004 (Server Core installation)
• Windows Server, version 20H2 (Server Core Installation)

Security Updates (3)

• 5006672
• 5006699
• 5006670

Revision History

• 2021-10-12: Information published.