Description
The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.0 are impacted by a low severity vulnerability. A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration. MSAL.NET version 4.60.1 includes the fix. As a workaround, a developer may explicitly mark the MSAL.NET activity non-exported.
Scores
CVSS v3
3.9
EPSS
0.0005
EPSS Percentile
16.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
CWE-926
Status
published
Products (3)
AzureAD/microsoft-authentication-library-for-dotnet
>= 4.48.0, < 4.59.1
AzureAD/microsoft-authentication-library-for-dotnet
>= 4.60.0, < 4.60.3
nuget/Microsoft.Identity.Client
4.48.0 - 4.59.1NuGet
Published
Apr 16, 2024
Tracked Since
Feb 18, 2026