Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2024-35255 |
CWE-ID | CWE-362 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software |
Microsoft Authentication Library (MSAL) for Python Mobile applications / Apps for mobile phones Microsoft Authentication Library (MSAL) for Node.js Mobile applications / Apps for mobile phones Microsoft Authentication Library (MSAL) for Java Mobile applications / Apps for mobile phones Microsoft Authentication Library (MSAL) for .NET Mobile applications / Apps for mobile phones Azure Identity Library for Python Mobile applications / Apps for mobile phones Azure Identity Library for JavaScript Mobile applications / Apps for mobile phones Azure Identity Library for Java Mobile applications / Apps for mobile phones Azure Identity Library for Go Mobile applications / Apps for mobile phones Azure Identity Library for C++ Mobile applications / Apps for mobile phones Azure Identity Library for .NET Other software / Other software solutions |
Vendor | Microsoft |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU91723
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-35255
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition in Azure Identity Libraries and Microsoft Authentication Library. A local user can elevate privileges and read any file on the file system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Authentication Library (MSAL) for Python: All versions
Microsoft Authentication Library (MSAL) for Node.js: All versions
Microsoft Authentication Library (MSAL) for Java: All versions
Microsoft Authentication Library (MSAL) for .NET: All versions
Azure Identity Library for Python: All versions
Azure Identity Library for JavaScript: All versions
Azure Identity Library for Java: All versions
Azure Identity Library for Go: All versions
Azure Identity Library for C++: All versions
Azure Identity Library for .NET: All versions
CPE2.3http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.