U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2021-42306

Change History

CVE Modified by Microsoft Corporation 12/28/2023 11:15:59 AM

Action Type Old Value New Value
Changed Description 
Azure Active Directory Information Disclosure Vulnerability
 
<p>An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate <a href="https://docs.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0">keyCredential</a>  on an Azure AD <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals">Application or Service Principal</a> (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application.</p>
<p>Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application.</p>
<p>Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information.</p>
<p>For more details on this issue, please refer to the <a href="https://aka.ms/CVE-2021-42306-AAD">MSRC Blog Entry</a>.</p>
Added CVSS V3.1 

								
							
							
								
							
						
								
							
								
Microsoft Corporation AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N