[{"vendor":"Microsoft","product":"ADAL.NET","cpes":["cpe:2.3:a:microsoft:active_directory_authentication_library:*:*:*:*:*:.net:*:*"],"platforms":["Unknown"],"versions":[{"version":"5.0.0","lessThan":"publication","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Nuget 5.2.0","cpes":["cpe:2.3:a:microsoft:nuget:5.2.0:*:*:*:*:*:*:*"],"platforms":["Unknown"],"versions":[{"version":"5.0.0","lessThan":"publication","versionType":"custom","status":"affected"}]}]

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user.
The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens.
This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.

CWE-264

NVD-CWE-noinfo

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

CWE-264

OR
     *cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.0:preview:*:*:*:.net:*:*
     *cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.1:preview:*:*:*:.net:*:*
     *cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.2:preview:*:*:*:.net:*:*
     *cpe:2.3:a:microsoft:active_directory_authentication_library:5.0.3:preview:*:*:*:.net:*:*
     *cpe:2.3:a:microsoft:active_directory_authentication_library:*:*:*:*:*:.net:*:* versions from (including) 5.0.5 up to (excluding) 5.2.0
     *cpe:2.3:a:microsoft:nuget:5.2.0:*:*:*:*:*:*:*

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258 No Types Assigned

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258 Patch, Vendor Advisory