Race condition in Microsoft products - CVE-2024-35255
Published: June 11, 2024
Vulnerability identifier: #VU91723
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-35255
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Authentication Library (MSAL) for Python
Microsoft Authentication Library (MSAL) for Node.js
Microsoft Authentication Library (MSAL) for Java
Microsoft Authentication Library (MSAL) for .NET
Azure Identity Library for Python
Azure Identity Library for JavaScript
Azure Identity Library for Java
Azure Identity Library for Go
Azure Identity Library for C++
Azure Identity Library for .NET
Microsoft Authentication Library (MSAL) for Python
Microsoft Authentication Library (MSAL) for Node.js
Microsoft Authentication Library (MSAL) for Java
Microsoft Authentication Library (MSAL) for .NET
Azure Identity Library for Python
Azure Identity Library for JavaScript
Azure Identity Library for Java
Azure Identity Library for Go
Azure Identity Library for C++
Azure Identity Library for .NET
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition in Azure Identity Libraries and Microsoft Authentication Library. A local user can elevate privileges and read any file on the file system.
How to mitigate CVE-2024-35255
Install updates from vendor's website.