cnvd - cnvd-2021-100792

cnvd-2021-100792

Vulnerability from cnvd

Title: Microsoft Azure信息泄露漏洞（CNVD-2021-100792）

Description:

Microsoft Azure是美国微软（Microsoft）公司的一套开放的企业级云计算平台。

Microsoft Azure存在安全漏洞。目前没有详细的漏洞细节提供。

Severity: 中

Patch Name: Microsoft Azure信息泄露漏洞（CNVD-2021-100792）的补丁

Patch Description:

Microsoft Azure是美国微软（Microsoft）公司的一套开放的企业级云计算平台。

Microsoft Azure存在安全漏洞。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42306

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-42306

Impacted products

Name
Microsoft Azure

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-42306"
    }
  },
  "description": "Microsoft Azure\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u5f00\u653e\u7684\u4f01\u4e1a\u7ea7\u4e91\u8ba1\u7b97\u5e73\u53f0\u3002\n\nMicrosoft Azure\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42306",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-100792",
  "openTime": "2021-12-20",
  "patchDescription": "Microsoft Azure\u662f\u7f8e\u56fd\u5fae\u8f6f\uff08Microsoft\uff09\u516c\u53f8\u7684\u4e00\u5957\u5f00\u653e\u7684\u4f01\u4e1a\u7ea7\u4e91\u8ba1\u7b97\u5e73\u53f0\u3002\r\n\r\nMicrosoft Azure\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Microsoft Azure\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-100792\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Microsoft Azure"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-42306",
  "serverity": "\u4e2d",
  "submitTime": "2021-11-22",
  "title": "Microsoft Azure\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-100792\uff09"
}

CVE-2021-42306 (GCVE-0-2021-42306)

Vulnerability from cvelistv5

Published

2021-11-24 01:05

Modified

2024-08-04 03:30

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

CWE

Elevation of Privilege

Summary

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.

References

▼	URL	Tags
	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Microsoft

Azure Automation

Version: 1.0.0 < publication
cpe:2.3:a:microsoft:azure_automation:-:*:*:*:*:*:*:*

Microsoft	Azure Active Directory	Version: N/A
Microsoft	Azure Site Recovery	Version: N/A
Microsoft	Azure Migrate	Version: N/A

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:30:38.252Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:microsoft:azure_automation:-:*:*:*:*:*:*:*"
          ],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Automation",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "publication",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "cpes": [],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Active Directory",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "N/A"
            }
          ]
        },
        {
          "cpes": [],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Site Recovery",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "N/A"
            }
          ]
        },
        {
          "cpes": [],
          "platforms": [
            "Unknown"
          ],
          "product": "Azure Migrate",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "N/A"
            }
          ]
        }
      ],
      "datePublic": "2021-11-17T08:00:00+00:00",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential\u202f on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application.\nAzure AD\u202faddressed this vulnerability by preventing disclosure of any private key\u202fvalues added\u202fto the application.\nMicrosoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information.\nFor more details on this issue, please refer to the MSRC Blog Entry.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Elevation of Privilege",
              "lang": "en-US",
              "type": "Impact"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-29T14:48:06.584Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306"
        }
      ],
      "title": "Azure Active Directory Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2021-42306",
    "datePublished": "2021-11-24T01:05:13",
    "dateReserved": "2021-10-12T00:00:00",
    "dateUpdated": "2024-08-04T03:30:38.252Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted