Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2024-35255
Vulnerability from cvelistv5
Published
2024-06-11 16:59
Modified
2024-08-02 03:07
Severity ?
EPSS score ?
References
▼ | URL | Tags | |
---|---|---|---|
secure@microsoft.com | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 | Patch, Vendor Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255 | Patch, Vendor Advisory |
Impacted products
Vendor | Product | Version | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
▼ | Microsoft | Azure Identity Library for .NET |
Version: 1.0.0 < 1.11.4 cpe:2.3:a:microsoft:azure_identity_library_for_.net:-:*:*:*:*:*:*:* |
||||||||||||||||||||||||
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-35255", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-06-13T00:00:00+00:00", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-06-14T03:55:56.287Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-02T03:07:46.822Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "cpes": [ "cpe:2.3:a:microsoft:azure_identity_library_for_.net:-:*:*:*:*:*:*:*" ], "platforms": [ "Unknown" ], "product": "Azure Identity Library for .NET", "vendor": "Microsoft", "versions": [ { "lessThan": "1.11.4", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:microsoft:microsoft_authentication_library_for_java:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:microsoft_authentication_library_for_.net:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:microsoft_authentication_library_for_node.js:-:*:*:*:*:*:*:*" ], "platforms": [ "Unknown" ], "product": "Microsoft Authentication Library", "vendor": "Microsoft", "versions": [ { "lessThan": "1.15.1", "status": "affected", "version": "1.0.0", "versionType": "custom" }, { "lessThan": "4.61.3", "status": "affected", "version": "1.0.0", "versionType": "custom" }, { "lessThan": "2.9.2", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:microsoft:azure_identity_sdk_for_go:-:*:*:*:*:-:*:*" ], "platforms": [ "Unknown" ], "product": "Azure Identity Library", "vendor": "Microsoft", "versions": [ { "lessThan": "1.6.0", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:microsoft:azure_identity_library_for_java:-:*:*:*:*:*:*:*" ], "platforms": [ "Unknown" ], "product": "Azure Identity Library for Java", "vendor": "Microsoft", "versions": [ { "lessThan": "1.12.2", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:-:*:*:*:*:*:*:*" ], "platforms": [ "Unknown" ], "product": "Azure Identity Library for JavaScript", "vendor": "Microsoft", "versions": [ { "lessThan": "4.2.1", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:microsoft:azure_identity_library_for_c_plus_plus:-:*:*:*:*:*:*:*" ], "platforms": [ "Unknown" ], "product": "Azure Identity Library for C++", "vendor": "Microsoft", "versions": [ { "lessThan": "1.8.0", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] }, { "cpes": [ "cpe:2.3:a:microsoft:azure_identity_library_for_python:-:*:*:*:*:*:*:*" ], "platforms": [ "Unknown" ], "product": "Azure Identity Library for Python", "vendor": "Microsoft", "versions": [ { "lessThan": "1.16.1", "status": "affected", "version": "1.0.0", "versionType": "custom" } ] } ], "datePublic": "2024-06-11T07:00:00+00:00", "descriptions": [ { "lang": "en-US", "value": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability" } ], "metrics": [ { "cvssV3_1": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en-US", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "lang": "en-US", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-07-19T21:13:23.822Z", "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft" }, "references": [ { "name": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "tags": [ "vendor-advisory" ], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255" } ], "title": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability" } }, "cveMetadata": { "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "cveId": "CVE-2024-35255", "datePublished": "2024-06-11T16:59:47.754Z", "dateReserved": "2024-05-14T20:14:47.411Z", "dateUpdated": "2024-08-02T03:07:46.822Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "vulnerability-lookup:meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-35255\",\"sourceIdentifier\":\"secure@microsoft.com\",\"published\":\"2024-06-11T17:16:03.550\",\"lastModified\":\"2024-11-21T09:20:01.923\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de elevaci\u00f3n de privilegios en las librer\u00edas de identidad de Azure y la librer\u00eda de autenticaci\u00f3n de Microsoft\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secure@microsoft.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:java:*:*\",\"versionEndExcluding\":\"1.15.1\",\"matchCriteriaId\":\"1F13542D-538A-47C1-9BD1-9E0D5CBCE26B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:node.js:*:*\",\"versionEndIncluding\":\"2.9.2\",\"matchCriteriaId\":\"F7C63AFB-7B70-45A6-A9F2-83B413A83951\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:authentication_library:*:*:*:*:*:.net:*:*\",\"versionEndExcluding\":\"4.61.3\",\"matchCriteriaId\":\"3C2C72F0-370B-40C9-BE59-003759D8075D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:go:*:*\",\"versionEndExcluding\":\"1.6.0\",\"matchCriteriaId\":\"4747CC36-3E5B-40E3-A955-75044682B9B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:c\\\\+\\\\+:*:*\",\"versionEndExcluding\":\"1.8.0\",\"matchCriteriaId\":\"E994EFF7-09AC-4979-A37B-5030C56F0F70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:.net:*:*\",\"versionEndExcluding\":\"1.11.4\",\"matchCriteriaId\":\"1D1BABF5-442F-4A95-A608-DEF21245930F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:java:*:*\",\"versionEndExcluding\":\"1.12.2\",\"matchCriteriaId\":\"2EDF4F14-5A4B-4EA4-B1DA-6E3779BF4F8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"1.16.1\",\"matchCriteriaId\":\"4D509315-188D-403A-B9DC-1104958834F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:microsoft:azure_identity_sdk:*:*:*:*:*:javascript:*:*\",\"versionEndExcluding\":\"4.2.1\",\"matchCriteriaId\":\"9BC2D3A8-759D-4BBC-AA63-45D7A52EF907\"}]}]}],\"references\":[{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255\",\"source\":\"secure@microsoft.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}" } }
rhsa-2024_7052
Vulnerability from csaf_redhat
Published
2024-09-24 12:51
Modified
2024-12-17 14:23
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Details
An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in
* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in
* CVE-2024-8391 io.vertx/vertx-grpc-server: Vertx gRPC server does not limit the maximum message size
* CVE-2024-8391 io.vertx/vertx-grpc-client: Vertx gRPC server does not limit the maximum message size
* CVE-2024-32007 org.apache.cxf/cxf-rt-rs-security-jose: apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE
* CVE-2024-41172 org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients
* CVE-2024-35255 com.azure/azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.", "title": "Topic" }, { "category": "general", "text": "An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA).\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:\n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in \n* CVE-2024-45294 ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in \n* CVE-2024-8391 io.vertx/vertx-grpc-server: Vertx gRPC server does not limit the maximum message size\n* CVE-2024-8391 io.vertx/vertx-grpc-client: Vertx gRPC server does not limit the maximum message size\n* CVE-2024-32007 org.apache.cxf/cxf-rt-rs-security-jose: apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE\n* CVE-2024-41172 org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients\n* CVE-2024-35255 com.azure/azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:7052", "url": "https://access.redhat.com/errata/RHSA-2024:7052" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2024-45294", "url": "https://access.redhat.com/security/cve/CVE-2024-45294" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2024-8391", "url": "https://access.redhat.com/security/cve/CVE-2024-8391" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2024-32007", "url": "https://access.redhat.com/security/cve/CVE-2024-32007" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2024-41172", "url": "https://access.redhat.com/security/cve/CVE-2024-41172" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2024-35255", "url": "https://access.redhat.com/security/cve/CVE-2024-35255" }, { "category": "external", "summary": "2295081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081" }, { "category": "external", "summary": "2298828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298828" }, { "category": "external", "summary": "2298829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829" }, { "category": "external", "summary": "2309758", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758" }, { "category": "external", "summary": "2310447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7052.json" } ], "title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.GA)", "tracking": { "current_release_date": "2024-12-17T14:23:49+00:00", "generator": { "date": "2024-12-17T14:23:49+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.3" } }, "id": "RHSA-2024:7052", "initial_release_date": "2024-09-24T12:51:36+00:00", "revision_history": [ { "date": "2024-09-24T12:51:36+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-09-24T12:51:36+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-12-17T14:23:49+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat build of Apache Camel for Quarkus", "product": { "name": "Red Hat build of Apache Camel for Quarkus", "product_id": "Red Hat build of Apache Camel for Quarkus", "product_identification_helper": { "cpe": "cpe:/a:redhat:camel_quarkus:3.8" } } } ], "category": "product_family", "name": "Red Hat Build of Apache Camel" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-8391", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2024-09-04T16:20:44.762419+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2309758" } ], "notes": [ { "category": "description", "text": "A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat build of Apache Camel for Quarkus" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-8391" }, { "category": "external", "summary": "RHBZ#2309758", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309758" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-8391", "url": "https://www.cve.org/CVERecord?id=CVE-2024-8391" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-8391", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8391" }, { "category": "external", "summary": "https://github.com/eclipse-vertx/vertx-grpc/issues/113", "url": "https://github.com/eclipse-vertx/vertx-grpc/issues/113" }, { "category": "external", "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/31" } ], "release_date": "2024-09-04T16:15:09.253000+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-09-24T12:51:36+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:7052" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "io.vertx:vertx-grpc-client: io.vertx:vertx-grpc-server: Vertx gRPC server does not limit the maximum message size" }, { "cve": "CVE-2024-32007", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2024-07-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2298828" } ], "notes": [ { "category": "description", "text": "An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE", "title": "Vulnerability summary" }, { "category": "other", "text": "The improper input validation vulnerability in the p2c parameter of Apache CXF JOSE is considered a moderate severity issue rather than a important one due to its limited scope and impact. While the flaw allows an attacker to specify a large value for the p2c parameter, leading to potential denial of service (DoS) attacks by causing excessive computational overhead, it does not compromise data integrity, confidentiality, or authentication mechanisms directly. The attack vector primarily affects system availability and exploiting this vulnerability requires the ability to send crafted tokens.\n\nBase EAP (7.4 and 8) and EAP XP (4 and 5) do not ship this affected CXF jaxrs artifact. cxf-rt-rs-security-jose is part of CXF\u0027s JAX-RS, and EAP uses RESTEasy, hence it\u0027s not-affected.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat build of Apache Camel for Quarkus" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-32007" }, { "category": "external", "summary": "RHBZ#2298828", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298828" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-32007", "url": "https://www.cve.org/CVERecord?id=CVE-2024-32007" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-32007", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32007" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-6pff-fmh2-4mmf", "url": "https://github.com/advisories/GHSA-6pff-fmh2-4mmf" }, { "category": "external", "summary": "https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633", "url": "https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633" } ], "release_date": "2024-07-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-09-24T12:51:36+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:7052" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE" }, { "cve": "CVE-2024-35255", "discovery_date": "2024-07-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2295081" } ], "notes": [ { "category": "description", "text": "A flaw was found in Microsoft\u0027s Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition\u2014a scenario where the timing of events leads to unexpected behavior\u2014during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks.", "title": "Vulnerability description" }, { "category": "summary", "text": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat build of Apache Camel for Quarkus" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-35255" }, { "category": "external", "summary": "RHBZ#2295081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295081" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-35255", "url": "https://www.cve.org/CVERecord?id=CVE-2024-35255" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255" }, { "category": "external", "summary": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499", "url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499" }, { "category": "external", "summary": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340", "url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9", "url": "https://github.com/advisories/GHSA-m5vv-6r4h-3vj9" }, { "category": "external", "summary": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255" } ], "release_date": "2024-07-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-09-24T12:51:36+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:7052" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity" }, { "cve": "CVE-2024-41172", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "discovery_date": "2024-07-19T09:20:34+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2298829" } ], "notes": [ { "category": "description", "text": "A memory consumption flaw was found in Apache CXF. This issue may allow a CXF HTTP client conduit to prevent HTTPClient instances from being garbage collected, eventually causing the application to run out of memory.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat build of Apache Camel for Quarkus" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-41172" }, { "category": "external", "summary": "RHBZ#2298829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-41172", "url": "https://www.cve.org/CVERecord?id=CVE-2024-41172" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41172" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg", "url": "https://github.com/advisories/GHSA-4mgg-fqfq-64hg" }, { "category": "external", "summary": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6", "url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6" }, { "category": "external", "summary": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg", "url": "https://osv.dev/vulnerability/GHSA-4mgg-fqfq-64hg" } ], "release_date": "2024-07-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-09-24T12:51:36+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:7052" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "apache: cxf: org.apache.cxf:cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients" }, { "cve": "CVE-2024-45294", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "discovery_date": "2024-09-06T16:20:11.403869+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2310447" } ], "notes": [ { "category": "description", "text": "A flaw was found in HAPI FHIR - HL7 FHIR Core Artifacts. eXtensible Stylesheet Language Transformations (XSLT) transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This issue impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML.", "title": "Vulnerability description" }, { "category": "summary", "text": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`", "title": "Vulnerability summary" }, { "category": "other", "text": "This vulnerability is of significant severity because it allows for XML External Entity (XXE) injection, which can lead to unauthorized access and leakage of sensitive data from the host system. In environments where external clients are permitted to submit XML files, an attacker could craft a malicious XML containing a DTD (Document Type Definition) that references external entities. When processed, this could result in the unauthorized disclosure of files, environmental variables, or other confidential data from the server, potentially compromising the integrity and confidentiality of the system.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat build of Apache Camel for Quarkus" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2024-45294" }, { "category": "external", "summary": "RHBZ#2310447", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45294", "url": "https://www.cve.org/CVERecord?id=CVE-2024-45294" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294" }, { "category": "external", "summary": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23", "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23" }, { "category": "external", "summary": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf", "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf" } ], "release_date": "2024-09-06T16:15:03.300000+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-09-24T12:51:36+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:7052" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat build of Apache Camel for Quarkus" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`" } ] }
wid-sec-w-2024-1688
Vulnerability from csaf_certbund
Published
2024-07-22 22:00
Modified
2024-07-22 22:00
Summary
IBM App Connect Enterprise: Mehrere Schwachstelle
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um seine Privilegien zu erhöhen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial-of-Service-Zustand zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1688 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1688.json" }, { "category": "self", "summary": "WID-SEC-2024-1688 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1688" }, { "category": "external", "summary": "IBM Security Bulletin vom 2024-07-22", "url": "https://www.ibm.com/support/pages/node/7160859" } ], "source_lang": "en-US", "title": "IBM App Connect Enterprise: Mehrere Schwachstelle", "tracking": { "current_release_date": "2024-07-22T22:00:00.000+00:00", "generator": { "date": "2024-07-23T08:32:46.025+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-1688", "initial_release_date": "2024-07-22T22:00:00.000+00:00", "revision_history": [ { "date": "2024-07-22T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c12.0.12.4", "product": { "name": "IBM App Connect Enterprise \u003c12.0.12.4", "product_id": "T036393", "product_identification_helper": { "cpe": "cpe:/a:ibm:app_connect_enterprise:12.0.12.4" } } } ], "category": "product_name", "name": "App Connect Enterprise" } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-35255", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in den Microsoft Azure Identity Libraries und der Microsoft Authentication Library. Durch das Senden einer speziell gestalteten Anfrage kann ein lokaler Angreifer diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern." } ], "release_date": "2024-07-22T22:00:00Z", "title": "CVE-2024-35255" }, { "cve": "CVE-2024-37168", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in der gRPC-Komponente auf Node.js aufgrund einer unsachgem\u00e4\u00dfen Speicherzuweisung mit \u00fcberm\u00e4\u00dfigem Gr\u00f6\u00dfenwert. Durch das Senden speziell gestalteter Meldungen kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "release_date": "2024-07-22T22:00:00Z", "title": "CVE-2024-37168" } ] }
WID-SEC-W-2024-1339
Vulnerability from csaf_certbund
Published
2024-06-11 22:00
Modified
2024-06-11 22:00
Summary
Microsoft Azure: Mehrere Schwachstellen ermöglichen Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Azure ist eine Cloud Computing-Plattform von Microsoft.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure ausnutzen, um seine Privilegien zu erhöhen und um einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Azure ist eine Cloud Computing-Plattform von Microsoft.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure ausnutzen, um seine Privilegien zu erh\u00f6hen und um einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1339 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1339.json" }, { "category": "self", "summary": "WID-SEC-2024-1339 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1339" }, { "category": "external", "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2024-06-11", "url": "https://msrc.microsoft.com/update-guide" } ], "source_lang": "en-US", "title": "Microsoft Azure: Mehrere Schwachstellen erm\u00f6glichen Privilegieneskalation", "tracking": { "current_release_date": "2024-06-11T22:00:00.000+00:00", "generator": { "date": "2024-06-12T09:06:02.534+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-1339", "initial_release_date": "2024-06-11T22:00:00.000+00:00", "revision_history": [ { "date": "2024-06-11T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "Data Science Virtual Machines for Linux", "product": { "name": "Microsoft Azure Data Science Virtual Machines for Linux", "product_id": "T035364", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:data_science_virtual_machines_for_linux" } } }, { "category": "product_version", "name": "File Sync v16.0", "product": { "name": "Microsoft Azure File Sync v16.0", "product_id": "T035365", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:file_sync_v16.0" } } }, { "category": "product_version", "name": "File Sync v17.0", "product": { "name": "Microsoft Azure File Sync v17.0", "product_id": "T035366", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:file_sync_v17.0" } } }, { "category": "product_version", "name": "File Sync v18.0", "product": { "name": "Microsoft Azure File Sync v18.0", "product_id": "T035367", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:file_sync_v18.0" } } }, { "category": "product_version", "name": "Identity Library for .NET", "product": { "name": "Microsoft Azure Identity Library for .NET", "product_id": "T035368", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_.net" } } }, { "category": "product_version", "name": "Identity Library for C++", "product": { "name": "Microsoft Azure Identity Library for C++", "product_id": "T035370", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_c" } } }, { "category": "product_version", "name": "Identity Library for Go", "product": { "name": "Microsoft Azure Identity Library for Go", "product_id": "T035371", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_go" } } }, { "category": "product_version", "name": "Identity Library for Java", "product": { "name": "Microsoft Azure Identity Library for Java", "product_id": "T035372", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_java" } } }, { "category": "product_version", "name": "Identity Library for JavaScript", "product": { "name": "Microsoft Azure Identity Library for JavaScript", "product_id": "T035373", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_javascript" } } }, { "category": "product_version", "name": "Identity Library for Python", "product": { "name": "Microsoft Azure Identity Library for Python", "product_id": "T035374", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_python" } } }, { "category": "product_version", "name": "Monitor Agent", "product": { "name": "Microsoft Azure Monitor Agent", "product_id": "T035376", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:monitor_agent" } } }, { "category": "product_version", "name": "Storage Movement Client Library for .NET", "product": { "name": "Microsoft Azure Storage Movement Client Library for .NET", "product_id": "T035377", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:storage_movement_client_library_for_.net" } } } ], "category": "product_name", "name": "Azure" } ], "category": "vendor", "name": "Microsoft" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-35253", "notes": [ { "category": "description", "text": "In Microsoft Azure existieren mehrere Schwachstellen. Diese werden von Microsoft nicht im Detail beschrieben. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035371", "T035370", "T035364", "T035374", "T035373", "T035372", "T035368", "T035367", "T035366", "T035377", "T035365", "T035376" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35253" }, { "cve": "CVE-2024-35254", "notes": [ { "category": "description", "text": "In Microsoft Azure existieren mehrere Schwachstellen. Diese werden von Microsoft nicht im Detail beschrieben. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035371", "T035370", "T035364", "T035374", "T035373", "T035372", "T035368", "T035367", "T035366", "T035377", "T035365", "T035376" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35254" }, { "cve": "CVE-2024-35255", "notes": [ { "category": "description", "text": "In Microsoft Azure existieren mehrere Schwachstellen. Diese werden von Microsoft nicht im Detail beschrieben. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035371", "T035370", "T035364", "T035374", "T035373", "T035372", "T035368", "T035367", "T035366", "T035377", "T035365", "T035376" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35255" }, { "cve": "CVE-2024-35252", "notes": [ { "category": "description", "text": "In Microsoft Azure existiert eine Schwachstelle. Diese ist auf eine Anf\u00e4lligkeit f\u00fcr einen Denial of Service Angriff in der Azure Storage Movement Client-Bibliothek zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T035377" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35252" }, { "cve": "CVE-2024-37325", "notes": [ { "category": "description", "text": "In Microsoft Azure existiert eine Schwachstelle. Diese besteht in der Azure Science Virtual Machine (DSVM) und wird nicht weiter im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035377" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-37325" } ] }
wid-sec-w-2024-1339
Vulnerability from csaf_certbund
Published
2024-06-11 22:00
Modified
2024-06-11 22:00
Summary
Microsoft Azure: Mehrere Schwachstellen ermöglichen Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Azure ist eine Cloud Computing-Plattform von Microsoft.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure ausnutzen, um seine Privilegien zu erhöhen und um einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Azure ist eine Cloud Computing-Plattform von Microsoft.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure ausnutzen, um seine Privilegien zu erh\u00f6hen und um einen Denial of Service Zustand herbeizuf\u00fchren.", "title": "Angriff" }, { "category": "general", "text": "- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1339 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1339.json" }, { "category": "self", "summary": "WID-SEC-2024-1339 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1339" }, { "category": "external", "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates vom 2024-06-11", "url": "https://msrc.microsoft.com/update-guide" } ], "source_lang": "en-US", "title": "Microsoft Azure: Mehrere Schwachstellen erm\u00f6glichen Privilegieneskalation", "tracking": { "current_release_date": "2024-06-11T22:00:00.000+00:00", "generator": { "date": "2024-06-12T09:06:02.534+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-1339", "initial_release_date": "2024-06-11T22:00:00.000+00:00", "revision_history": [ { "date": "2024-06-11T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "Data Science Virtual Machines for Linux", "product": { "name": "Microsoft Azure Data Science Virtual Machines for Linux", "product_id": "T035364", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:data_science_virtual_machines_for_linux" } } }, { "category": "product_version", "name": "File Sync v16.0", "product": { "name": "Microsoft Azure File Sync v16.0", "product_id": "T035365", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:file_sync_v16.0" } } }, { "category": "product_version", "name": "File Sync v17.0", "product": { "name": "Microsoft Azure File Sync v17.0", "product_id": "T035366", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:file_sync_v17.0" } } }, { "category": "product_version", "name": "File Sync v18.0", "product": { "name": "Microsoft Azure File Sync v18.0", "product_id": "T035367", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:file_sync_v18.0" } } }, { "category": "product_version", "name": "Identity Library for .NET", "product": { "name": "Microsoft Azure Identity Library for .NET", "product_id": "T035368", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_.net" } } }, { "category": "product_version", "name": "Identity Library for C++", "product": { "name": "Microsoft Azure Identity Library for C++", "product_id": "T035370", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_c" } } }, { "category": "product_version", "name": "Identity Library for Go", "product": { "name": "Microsoft Azure Identity Library for Go", "product_id": "T035371", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_go" } } }, { "category": "product_version", "name": "Identity Library for Java", "product": { "name": "Microsoft Azure Identity Library for Java", "product_id": "T035372", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_java" } } }, { "category": "product_version", "name": "Identity Library for JavaScript", "product": { "name": "Microsoft Azure Identity Library for JavaScript", "product_id": "T035373", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_javascript" } } }, { "category": "product_version", "name": "Identity Library for Python", "product": { "name": "Microsoft Azure Identity Library for Python", "product_id": "T035374", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:identity_library_for_python" } } }, { "category": "product_version", "name": "Monitor Agent", "product": { "name": "Microsoft Azure Monitor Agent", "product_id": "T035376", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:monitor_agent" } } }, { "category": "product_version", "name": "Storage Movement Client Library for .NET", "product": { "name": "Microsoft Azure Storage Movement Client Library for .NET", "product_id": "T035377", "product_identification_helper": { "cpe": "cpe:/a:microsoft:azure:storage_movement_client_library_for_.net" } } } ], "category": "product_name", "name": "Azure" } ], "category": "vendor", "name": "Microsoft" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-35253", "notes": [ { "category": "description", "text": "In Microsoft Azure existieren mehrere Schwachstellen. Diese werden von Microsoft nicht im Detail beschrieben. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035371", "T035370", "T035364", "T035374", "T035373", "T035372", "T035368", "T035367", "T035366", "T035377", "T035365", "T035376" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35253" }, { "cve": "CVE-2024-35254", "notes": [ { "category": "description", "text": "In Microsoft Azure existieren mehrere Schwachstellen. Diese werden von Microsoft nicht im Detail beschrieben. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035371", "T035370", "T035364", "T035374", "T035373", "T035372", "T035368", "T035367", "T035366", "T035377", "T035365", "T035376" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35254" }, { "cve": "CVE-2024-35255", "notes": [ { "category": "description", "text": "In Microsoft Azure existieren mehrere Schwachstellen. Diese werden von Microsoft nicht im Detail beschrieben. Ein lokaler Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035371", "T035370", "T035364", "T035374", "T035373", "T035372", "T035368", "T035367", "T035366", "T035377", "T035365", "T035376" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35255" }, { "cve": "CVE-2024-35252", "notes": [ { "category": "description", "text": "In Microsoft Azure existiert eine Schwachstelle. Diese ist auf eine Anf\u00e4lligkeit f\u00fcr einen Denial of Service Angriff in der Azure Storage Movement Client-Bibliothek zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren." } ], "product_status": { "known_affected": [ "T035377" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-35252" }, { "cve": "CVE-2024-37325", "notes": [ { "category": "description", "text": "In Microsoft Azure existiert eine Schwachstelle. Diese besteht in der Azure Science Virtual Machine (DSVM) und wird nicht weiter im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern." } ], "product_status": { "known_affected": [ "T035377" ] }, "release_date": "2024-06-11T22:00:00Z", "title": "CVE-2024-37325" } ] }
WID-SEC-W-2024-1688
Vulnerability from csaf_certbund
Published
2024-07-22 22:00
Modified
2024-07-22 22:00
Summary
IBM App Connect Enterprise: Mehrere Schwachstelle
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um seine Privilegien zu erhöhen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "mittel" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um seine Privilegien zu erh\u00f6hen oder einen Denial-of-Service-Zustand zu verursachen.", "title": "Angriff" }, { "category": "general", "text": "- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2024-1688 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1688.json" }, { "category": "self", "summary": "WID-SEC-2024-1688 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1688" }, { "category": "external", "summary": "IBM Security Bulletin vom 2024-07-22", "url": "https://www.ibm.com/support/pages/node/7160859" } ], "source_lang": "en-US", "title": "IBM App Connect Enterprise: Mehrere Schwachstelle", "tracking": { "current_release_date": "2024-07-22T22:00:00.000+00:00", "generator": { "date": "2024-07-23T08:32:46.025+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2024-1688", "initial_release_date": "2024-07-22T22:00:00.000+00:00", "revision_history": [ { "date": "2024-07-22T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "\u003c12.0.12.4", "product": { "name": "IBM App Connect Enterprise \u003c12.0.12.4", "product_id": "T036393", "product_identification_helper": { "cpe": "cpe:/a:ibm:app_connect_enterprise:12.0.12.4" } } } ], "category": "product_name", "name": "App Connect Enterprise" } ], "category": "vendor", "name": "IBM" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-35255", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in den Microsoft Azure Identity Libraries und der Microsoft Authentication Library. Durch das Senden einer speziell gestalteten Anfrage kann ein lokaler Angreifer diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern." } ], "release_date": "2024-07-22T22:00:00Z", "title": "CVE-2024-35255" }, { "cve": "CVE-2024-37168", "notes": [ { "category": "description", "text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in der gRPC-Komponente auf Node.js aufgrund einer unsachgem\u00e4\u00dfen Speicherzuweisung mit \u00fcberm\u00e4\u00dfigem Gr\u00f6\u00dfenwert. Durch das Senden speziell gestalteter Meldungen kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen." } ], "release_date": "2024-07-22T22:00:00Z", "title": "CVE-2024-37168" } ] }
ncsc-2024-0249
Vulnerability from csaf_ncscnl
Published
2024-06-11 18:15
Modified
2024-06-11 18:15
Summary
Kwetsbaarheden verholpen in Microsoft Azure
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Microsoft heeft kwetsbaarheden verholpen in Azure producten.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, of om zich verhoogde rechten toe te kennen en mogelijk handelingen uit te voeren met beheerdersrechten.
De ernstigste kwetsbaarheid heeft kenmerk CVE-2024-37325 toegewezen gekregen. Deze kwetsbaarheid bevindt zich in de Data Science Virtual Machines met versies kleiner dan 24.05.24 welke draaien op Linux/Ubuntu. Een ongeauthenticeerde kwaadwillende kan de gebruikersgegevens van deze VM's achterhalen en inloggen als het slachtoffer.
```
Azure Storage Library:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35252 | 7.50 | Denial-of-Service |
|----------------|------|-------------------------------------|
Azure Monitor:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35254 | 7.10 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure File Sync:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35253 | 4.40 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure Data Science Virtual Machines:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-37325 | 9.80 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure SDK:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35255 | 5.50 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
```
Oplossingen
Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:
https://portal.msrc.microsoft.com/en-us/security-guidance
Kans
medium
Schade
high
CWE-1104
Use of Unmaintained Third Party Components
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-59
Improper Link Resolution Before File Access ('Link Following')
{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "nl", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." }, { "category": "description", "text": "Microsoft heeft kwetsbaarheden verholpen in Azure producten.", "title": "Feiten" }, { "category": "description", "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, of om zich verhoogde rechten toe te kennen en mogelijk handelingen uit te voeren met beheerdersrechten.\n\nDe ernstigste kwetsbaarheid heeft kenmerk CVE-2024-37325 toegewezen gekregen. Deze kwetsbaarheid bevindt zich in de Data Science Virtual Machines met versies kleiner dan 24.05.24 welke draaien op Linux/Ubuntu. Een ongeauthenticeerde kwaadwillende kan de gebruikersgegevens van deze VM\u0027s achterhalen en inloggen als het slachtoffer.\n\n\n```\nAzure Storage Library: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35252 | 7.50 | Denial-of-Service | \n|----------------|------|-------------------------------------|\n\nAzure Monitor: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35254 | 7.10 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure File Sync: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35253 | 4.40 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure Data Science Virtual Machines: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-37325 | 9.80 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure SDK: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35255 | 5.50 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n```", "title": "Interpretaties" }, { "category": "description", "text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance", "title": "Oplossingen" }, { "category": "general", "text": "medium", "title": "Kans" }, { "category": "general", "text": "high", "title": "Schade" }, { "category": "general", "text": "Use of Unmaintained Third Party Components", "title": "CWE-1104" }, { "category": "general", "text": "Exposure of Sensitive Information to an Unauthorized Actor", "title": "CWE-200" }, { "category": "general", "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "title": "CWE-362" }, { "category": "general", "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "title": "CWE-59" } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "Nationaal Cyber Security Centrum", "namespace": "https://www.ncsc.nl/" }, "title": "Kwetsbaarheden verholpen in Microsoft Azure", "tracking": { "current_release_date": "2024-06-11T18:15:29.806897Z", "id": "NCSC-2024-0249", "initial_release_date": "2024-06-11T18:15:29.806897Z", "revision_history": [ { "date": "2024-06-11T18:15:29.806897Z", "number": "0", "summary": "Initiele versie" } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "azure_data_science_virtual_machines", "product": { "name": "azure_data_science_virtual_machines", "product_id": "CSAFPID-1477305", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_data_science_virtual_machines:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_file_sync", "product": { "name": "azure_file_sync", "product_id": "CSAFPID-1477298", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_file_sync:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_file_sync", "product": { "name": "azure_file_sync", "product_id": "CSAFPID-1455778", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_file_sync:16.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_file_sync", "product": { "name": "azure_file_sync", "product_id": "CSAFPID-1455781", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_file_sync:17.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_.net", "product": { "name": "azure_identity_library_for_.net", "product_id": "CSAFPID-1455908", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_.net:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_c__", "product": { "name": "azure_identity_library_for_c__", "product_id": "CSAFPID-1477303", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_c__:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_java", "product": { "name": "azure_identity_library_for_java", "product_id": "CSAFPID-1477301", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_java:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_javascript", "product": { "name": "azure_identity_library_for_javascript", "product_id": "CSAFPID-1477302", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_python", "product": { "name": "azure_identity_library_for_python", "product_id": "CSAFPID-1477304", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_python:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library", "product": { "name": "azure_identity_library", "product_id": "CSAFPID-1477300", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_monitor", "product": { "name": "azure_monitor", "product_id": "CSAFPID-1454052", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_monitor:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_storage", "product": { "name": "azure_storage", "product_id": "CSAFPID-1477297", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_storage:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "microsoft_authentication_library", "product": { "name": "microsoft_authentication_library", "product_id": "CSAFPID-1477299", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:microsoft_authentication_library:1.0.0:*:*:*:*:*:*:*" } } } ], "category": "vendor", "name": "microsoft" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-35252", "cwe": { "id": "CWE-1104", "name": "Use of Unmaintained Third Party Components" }, "notes": [ { "category": "other", "text": "Use of Unmaintained Third Party Components", "title": "CWE-1104" } ], "product_status": { "known_affected": [ "CSAFPID-1477297" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35252", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35252.json" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1477297" ] } ], "title": "CVE-2024-35252" }, { "cve": "CVE-2024-35253", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "other", "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "title": "CWE-59" } ], "product_status": { "known_affected": [ "CSAFPID-1455778", "CSAFPID-1477298", "CSAFPID-1455781" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35253", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35253.json" } ], "scores": [ { "cvss_v3": { "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1455778", "CSAFPID-1477298", "CSAFPID-1455781" ] } ], "title": "CVE-2024-35253" }, { "cve": "CVE-2024-35254", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "other", "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "title": "CWE-59" } ], "product_status": { "known_affected": [ "CSAFPID-1454052" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35254", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35254.json" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1454052" ] } ], "title": "CVE-2024-35254" }, { "cve": "CVE-2024-35255", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)" }, "notes": [ { "category": "other", "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "title": "CWE-362" } ], "product_status": { "known_affected": [ "CSAFPID-1455908", "CSAFPID-1477299", "CSAFPID-1477300", "CSAFPID-1477301", "CSAFPID-1477302", "CSAFPID-1477303", "CSAFPID-1477304" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35255", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35255.json" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1455908", "CSAFPID-1477299", "CSAFPID-1477300", "CSAFPID-1477301", "CSAFPID-1477302", "CSAFPID-1477303", "CSAFPID-1477304" ] } ], "title": "CVE-2024-35255" }, { "cve": "CVE-2024-37325", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "other", "text": "Exposure of Sensitive Information to an Unauthorized Actor", "title": "CWE-200" } ], "product_status": { "known_affected": [ "CSAFPID-1477305" ] }, "references": [ { "category": "self", "summary": "CVE-2024-37325", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37325.json" } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1477305" ] } ], "title": "CVE-2024-37325" } ] }
NCSC-2024-0249
Vulnerability from csaf_ncscnl
Published
2024-06-11 18:15
Modified
2024-06-11 18:15
Summary
Kwetsbaarheden verholpen in Microsoft Azure
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Microsoft heeft kwetsbaarheden verholpen in Azure producten.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, of om zich verhoogde rechten toe te kennen en mogelijk handelingen uit te voeren met beheerdersrechten.
De ernstigste kwetsbaarheid heeft kenmerk CVE-2024-37325 toegewezen gekregen. Deze kwetsbaarheid bevindt zich in de Data Science Virtual Machines met versies kleiner dan 24.05.24 welke draaien op Linux/Ubuntu. Een ongeauthenticeerde kwaadwillende kan de gebruikersgegevens van deze VM's achterhalen en inloggen als het slachtoffer.
```
Azure Storage Library:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35252 | 7.50 | Denial-of-Service |
|----------------|------|-------------------------------------|
Azure Monitor:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35254 | 7.10 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure File Sync:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35253 | 4.40 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure Data Science Virtual Machines:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-37325 | 9.80 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
Azure SDK:
|----------------|------|-------------------------------------|
| CVE-ID | CVSS | Impact |
|----------------|------|-------------------------------------|
| CVE-2024-35255 | 5.50 | Verkrijgen van verhoogde rechten |
|----------------|------|-------------------------------------|
```
Oplossingen
Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:
https://portal.msrc.microsoft.com/en-us/security-guidance
Kans
medium
Schade
high
CWE-1104
Use of Unmaintained Third Party Components
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-59
Improper Link Resolution Before File Access ('Link Following')
{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "nl", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." }, { "category": "description", "text": "Microsoft heeft kwetsbaarheden verholpen in Azure producten.", "title": "Feiten" }, { "category": "description", "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om een Denial-of-Service te veroorzaken, of om zich verhoogde rechten toe te kennen en mogelijk handelingen uit te voeren met beheerdersrechten.\n\nDe ernstigste kwetsbaarheid heeft kenmerk CVE-2024-37325 toegewezen gekregen. Deze kwetsbaarheid bevindt zich in de Data Science Virtual Machines met versies kleiner dan 24.05.24 welke draaien op Linux/Ubuntu. Een ongeauthenticeerde kwaadwillende kan de gebruikersgegevens van deze VM\u0027s achterhalen en inloggen als het slachtoffer.\n\n\n```\nAzure Storage Library: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35252 | 7.50 | Denial-of-Service | \n|----------------|------|-------------------------------------|\n\nAzure Monitor: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35254 | 7.10 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure File Sync: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35253 | 4.40 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure Data Science Virtual Machines: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-37325 | 9.80 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n\nAzure SDK: \n|----------------|------|-------------------------------------|\n| CVE-ID | CVSS | Impact |\n|----------------|------|-------------------------------------|\n| CVE-2024-35255 | 5.50 | Verkrijgen van verhoogde rechten | \n|----------------|------|-------------------------------------|\n```", "title": "Interpretaties" }, { "category": "description", "text": "Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op:\n\nhttps://portal.msrc.microsoft.com/en-us/security-guidance", "title": "Oplossingen" }, { "category": "general", "text": "medium", "title": "Kans" }, { "category": "general", "text": "high", "title": "Schade" }, { "category": "general", "text": "Use of Unmaintained Third Party Components", "title": "CWE-1104" }, { "category": "general", "text": "Exposure of Sensitive Information to an Unauthorized Actor", "title": "CWE-200" }, { "category": "general", "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "title": "CWE-362" }, { "category": "general", "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "title": "CWE-59" } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "Nationaal Cyber Security Centrum", "namespace": "https://www.ncsc.nl/" }, "title": "Kwetsbaarheden verholpen in Microsoft Azure", "tracking": { "current_release_date": "2024-06-11T18:15:29.806897Z", "id": "NCSC-2024-0249", "initial_release_date": "2024-06-11T18:15:29.806897Z", "revision_history": [ { "date": "2024-06-11T18:15:29.806897Z", "number": "0", "summary": "Initiele versie" } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "azure_data_science_virtual_machines", "product": { "name": "azure_data_science_virtual_machines", "product_id": "CSAFPID-1477305", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_data_science_virtual_machines:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_file_sync", "product": { "name": "azure_file_sync", "product_id": "CSAFPID-1477298", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_file_sync:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_file_sync", "product": { "name": "azure_file_sync", "product_id": "CSAFPID-1455778", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_file_sync:16.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_file_sync", "product": { "name": "azure_file_sync", "product_id": "CSAFPID-1455781", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_file_sync:17.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_.net", "product": { "name": "azure_identity_library_for_.net", "product_id": "CSAFPID-1455908", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_.net:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_c__", "product": { "name": "azure_identity_library_for_c__", "product_id": "CSAFPID-1477303", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_c__:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_java", "product": { "name": "azure_identity_library_for_java", "product_id": "CSAFPID-1477301", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_java:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_javascript", "product": { "name": "azure_identity_library_for_javascript", "product_id": "CSAFPID-1477302", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_javascript:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library_for_python", "product": { "name": "azure_identity_library_for_python", "product_id": "CSAFPID-1477304", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library_for_python:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_identity_library", "product": { "name": "azure_identity_library", "product_id": "CSAFPID-1477300", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_identity_library:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_monitor", "product": { "name": "azure_monitor", "product_id": "CSAFPID-1454052", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_monitor:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "azure_storage", "product": { "name": "azure_storage", "product_id": "CSAFPID-1477297", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azure_storage:1.0.0:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "microsoft_authentication_library", "product": { "name": "microsoft_authentication_library", "product_id": "CSAFPID-1477299", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:microsoft_authentication_library:1.0.0:*:*:*:*:*:*:*" } } } ], "category": "vendor", "name": "microsoft" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-35252", "cwe": { "id": "CWE-1104", "name": "Use of Unmaintained Third Party Components" }, "notes": [ { "category": "other", "text": "Use of Unmaintained Third Party Components", "title": "CWE-1104" } ], "product_status": { "known_affected": [ "CSAFPID-1477297" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35252", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35252.json" } ], "scores": [ { "cvss_v3": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1477297" ] } ], "title": "CVE-2024-35252" }, { "cve": "CVE-2024-35253", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "other", "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "title": "CWE-59" } ], "product_status": { "known_affected": [ "CSAFPID-1455778", "CSAFPID-1477298", "CSAFPID-1455781" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35253", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35253.json" } ], "scores": [ { "cvss_v3": { "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N/E:H/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1455778", "CSAFPID-1477298", "CSAFPID-1455781" ] } ], "title": "CVE-2024-35253" }, { "cve": "CVE-2024-35254", "cwe": { "id": "CWE-59", "name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)" }, "notes": [ { "category": "other", "text": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)", "title": "CWE-59" } ], "product_status": { "known_affected": [ "CSAFPID-1454052" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35254", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35254.json" } ], "scores": [ { "cvss_v3": { "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1454052" ] } ], "title": "CVE-2024-35254" }, { "cve": "CVE-2024-35255", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)" }, "notes": [ { "category": "other", "text": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)", "title": "CWE-362" } ], "product_status": { "known_affected": [ "CSAFPID-1455908", "CSAFPID-1477299", "CSAFPID-1477300", "CSAFPID-1477301", "CSAFPID-1477302", "CSAFPID-1477303", "CSAFPID-1477304" ] }, "references": [ { "category": "self", "summary": "CVE-2024-35255", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35255.json" } ], "scores": [ { "cvss_v3": { "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1455908", "CSAFPID-1477299", "CSAFPID-1477300", "CSAFPID-1477301", "CSAFPID-1477302", "CSAFPID-1477303", "CSAFPID-1477304" ] } ], "title": "CVE-2024-35255" }, { "cve": "CVE-2024-37325", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "notes": [ { "category": "other", "text": "Exposure of Sensitive Information to an Unauthorized Actor", "title": "CWE-200" } ], "product_status": { "known_affected": [ "CSAFPID-1477305" ] }, "references": [ { "category": "self", "summary": "CVE-2024-37325", "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37325.json" } ], "scores": [ { "cvss_v3": { "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "version": "3.1" }, "products": [ "CSAFPID-1477305" ] } ], "title": "CVE-2024-37325" } ] }
ghsa-m5vv-6r4h-3vj9
Vulnerability from github
Published
2024-06-11 18:30
Modified
2024-07-08 14:32
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
6.8 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
Details
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "azure-identity" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.16.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "@azure/identity" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "4.2.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "com.azure:azure-identity" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.12.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "npm", "name": "@azure/msal-node" }, "ranges": [ { "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.Identity.Client" }, "ranges": [ { "events": [ { "introduced": "4.49.1" }, { "fixed": "4.60.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/Azure/azure-sdk-for-go/sdk/azidentity" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.6.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "com.microsoft.azure:msal4j" }, "ranges": [ { "events": [ { "introduced": "1.14.4-beta" }, { "fixed": "1.15.1" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Azure.Identity" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.11.4" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.Identity.Client" }, "ranges": [ { "events": [ { "introduced": "4.61.0" }, { "fixed": "4.61.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2024-35255" ], "database_specific": { "cwe_ids": [ "CWE-362" ], "github_reviewed": true, "github_reviewed_at": "2024-06-11T19:57:01Z", "nvd_published_at": "2024-06-11T17:16:03Z", "severity": "MODERATE" }, "details": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.", "id": "GHSA-m5vv-6r4h-3vj9", "modified": "2024-07-08T14:32:27Z", "published": "2024-06-11T18:30:50Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35255" }, { "type": "WEB", "url": "https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340" }, { "type": "WEB", "url": "https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499" }, { "type": "WEB", "url": "https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d" }, { "type": "WEB", "url": "https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492" }, { "type": "WEB", "url": "https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53" }, { "type": "WEB", "url": "https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178" }, { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.