CVE-2019-1258

Summary

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.

Affected Software

VendorProductVersion RangeStatus
MicrosoftADAL.NET5.0.0 < publicationaffected
MicrosoftNuget 5.2.05.0.0 < publicationaffected

Weaknesses

  • Elevation of Privilege

ADP Enrichment

CVE Program Container

Additional References

References