CVE-2019-1258

HIGH

Azure Active Directory Authentication Library - Privilege Escalation

Title source: llm

Description

An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens. This vulnerability allows an authenticated attacker to perform actions in context of another user. The authenticated attacker can exploit this vulneraiblity by accessing a service configured for On-Behalf-Of flow that assigns incorrect tokens. This security update addresses the vulnerability by removing fallback cache look-up for On-Behalf-Of scenarios.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1258

Scores

CVSS v3 8.8

EPSS 0.1065

EPSS Percentile 93.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (7)

microsoft/active_directory_authentication_library 5.0.0 preview

microsoft/active_directory_authentication_library 5.0.1 preview

microsoft/active_directory_authentication_library 5.0.2 preview

microsoft/active_directory_authentication_library 5.0.3 preview

microsoft/active_directory_authentication_library 5.0.5 - 5.2.0

microsoft/nuget 5.2.0

nuget/microsoft.identitymodel.clients.activedirectory 5.0.0 - 5.2.0NuGet

Published Aug 14, 2019

Tracked Since Feb 18, 2026