Race condition in Microsoft products - CVE-2024-35255
Published: June 11, 2024
Vulnerability identifier: #VU91723
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-35255
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Microsoft Authentication Library (MSAL) for Python
Microsoft Authentication Library (MSAL) for Node.js
Microsoft Authentication Library (MSAL) for Java
Microsoft Authentication Library (MSAL) for .NET
Azure Identity Library for Python
Azure Identity Library for JavaScript
Azure Identity Library for Java
Azure Identity Library for Go
Azure Identity Library for C++
Azure Identity Library for .NET
Microsoft Authentication Library (MSAL) for Python
Microsoft Authentication Library (MSAL) for Node.js
Microsoft Authentication Library (MSAL) for Java
Microsoft Authentication Library (MSAL) for .NET
Azure Identity Library for Python
Azure Identity Library for JavaScript
Azure Identity Library for Java
Azure Identity Library for Go
Azure Identity Library for C++
Azure Identity Library for .NET
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition in Azure Identity Libraries and Microsoft Authentication Library. A local user can elevate privileges and read any file on the file system.
Remediation
Install updates from vendor's website.