What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited the vulnerability could elevate privileges and read any file on the file system with SYSTEM access permissions. According to the CVSS metric, Integrity and Availability impact is None (I:N/A:N). What does that mean for this vulnerability? An attacker who successfully exploits this vulnerability can only obtain read access to the system files by exploiting this vulnerability. The attacker cannot perform write or delete operations on the files. Which credential types provided by the Azure Identity client library are affected? The vulnerability exists in the following credential types: DefaultAzureCredential ManagedIdentityCredential Which credential types provided by the Microsoft Authentication Libraries are affected? The vulnerability exists in the following credential types: ManagedIdentityApplication (.NET) ManagedIdentityApplication (Java) ManagedIdentityApplication (Node.js) **What versions of Microsoft Authentication Libraries (MSAL) are affected by this vulnerability? ** Microsoft Authentication Library Minimum Version Number Affected Fixed Version Number MSAL for .NET 4.49.1 4.61.3 MSAL for Java 1.14.4-beta 1.15.1 MSAL for Node 2.7.0 2.9.2
Vladimir Abramzon with Microsoft, Eli Arbel with Microsoft