Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Azure Site Recovery by Microsoft

    CVE-2024-21364 (GCVE-0-2024-21364)

    Vulnerability from nvd – Published: 2024-02-13 18:02 – Updated: 2025-05-03 01:37
    VLAI
    Title
    Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
    Summary
    Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Microsoft Azure Site Recovery Affected: 2021 , < 9.57 (custom)
    Create a notification for this product.
    Date Public
    2024-02-13 08:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21364",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-13T21:42:03.448258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-18T20:57:46.019Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:20:40.537Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21364"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Site Recovery",
              "vendor": "Microsoft",
              "versions": [
                {
                  "lessThan": "9.57",
                  "status": "affected",
                  "version": "2021",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:microsoft:azure_active_site_recovery:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "9.57",
                      "versionStartIncluding": "2021",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2024-02-13T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-03T01:37:34.626Z",
            "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
            "shortName": "microsoft"
          },
          "references": [
            {
              "name": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21364"
            }
          ],
          "title": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "assignerShortName": "microsoft",
        "cveId": "CVE-2024-21364",
        "datePublished": "2024-02-13T18:02:38.462Z",
        "dateReserved": "2023-12-08T22:45:20.448Z",
        "dateUpdated": "2025-05-03T01:37:34.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-42306 (GCVE-0-2021-42306)

    Vulnerability from nvd – Published: 2021-11-24 01:05 – Updated: 2024-08-04 03:30
    VLAI
    Title
    Azure Active Directory Information Disclosure Vulnerability
    Summary
    An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.
    CWE
    • Elevation of Privilege
    Assigner
    References
    Impacted products
    Date Public
    2021-11-17 08:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:30:38.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:microsoft:azure_automation:-:*:*:*:*:*:*:*"
              ],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Automation",
              "vendor": "Microsoft",
              "versions": [
                {
                  "lessThan": "publication",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "cpes": [],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Active Directory",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "N/A"
                }
              ]
            },
            {
              "cpes": [],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Site Recovery",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "N/A"
                }
              ]
            },
            {
              "cpes": [],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Migrate",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "N/A"
                }
              ]
            }
          ],
          "datePublic": "2021-11-17T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en-US",
              "value": "An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential\u202f on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application.\nAzure AD\u202faddressed this vulnerability by preventing disclosure of any private key\u202fvalues added\u202fto the application.\nMicrosoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information.\nFor more details on this issue, please refer to the MSRC Blog Entry."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Elevation of Privilege",
                  "lang": "en-US",
                  "type": "Impact"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-29T14:48:06.584Z",
            "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
            "shortName": "microsoft"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306"
            }
          ],
          "title": "Azure Active Directory Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "assignerShortName": "microsoft",
        "cveId": "CVE-2021-42306",
        "datePublished": "2021-11-24T01:05:13.000Z",
        "dateReserved": "2021-10-12T00:00:00.000Z",
        "dateUpdated": "2024-08-04T03:30:38.252Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-21364 (GCVE-0-2024-21364)

    Vulnerability from cvelistv5 – Published: 2024-02-13 18:02 – Updated: 2025-05-03 01:37
    VLAI
    Title
    Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
    Summary
    Microsoft Azure Site Recovery Elevation of Privilege Vulnerability
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    References
    Impacted products
    Vendor Product Version
    Microsoft Azure Site Recovery Affected: 2021 , < 9.57 (custom)
    Create a notification for this product.
    Date Public
    2024-02-13 08:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-21364",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-13T21:42:03.448258Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-18T20:57:46.019Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T22:20:40.537Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21364"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Site Recovery",
              "vendor": "Microsoft",
              "versions": [
                {
                  "lessThan": "9.57",
                  "status": "affected",
                  "version": "2021",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:microsoft:azure_active_site_recovery:*:*:*:*:*:*:*:*",
                      "versionEndExcluding": "9.57",
                      "versionStartIncluding": "2021",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2024-02-13T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-03T01:37:34.626Z",
            "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
            "shortName": "microsoft"
          },
          "references": [
            {
              "name": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21364"
            }
          ],
          "title": "Microsoft Azure Site Recovery Elevation of Privilege Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "assignerShortName": "microsoft",
        "cveId": "CVE-2024-21364",
        "datePublished": "2024-02-13T18:02:38.462Z",
        "dateReserved": "2023-12-08T22:45:20.448Z",
        "dateUpdated": "2025-05-03T01:37:34.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-42306 (GCVE-0-2021-42306)

    Vulnerability from cvelistv5 – Published: 2021-11-24 01:05 – Updated: 2024-08-04 03:30
    VLAI
    Title
    Azure Active Directory Information Disclosure Vulnerability
    Summary
    An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.
    CWE
    • Elevation of Privilege
    Assigner
    References
    Impacted products
    Date Public
    2021-11-17 08:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:30:38.252Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:microsoft:azure_automation:-:*:*:*:*:*:*:*"
              ],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Automation",
              "vendor": "Microsoft",
              "versions": [
                {
                  "lessThan": "publication",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "cpes": [],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Active Directory",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "N/A"
                }
              ]
            },
            {
              "cpes": [],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Site Recovery",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "N/A"
                }
              ]
            },
            {
              "cpes": [],
              "platforms": [
                "Unknown"
              ],
              "product": "Azure Migrate",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "N/A"
                }
              ]
            }
          ],
          "datePublic": "2021-11-17T08:00:00.000Z",
          "descriptions": [
            {
              "lang": "en-US",
              "value": "An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential\u202f on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application.\nAzure AD\u202faddressed this vulnerability by preventing disclosure of any private key\u202fvalues added\u202fto the application.\nMicrosoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information.\nFor more details on this issue, please refer to the MSRC Blog Entry."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Elevation of Privilege",
                  "lang": "en-US",
                  "type": "Impact"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-29T14:48:06.584Z",
            "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
            "shortName": "microsoft"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42306"
            }
          ],
          "title": "Azure Active Directory Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "assignerShortName": "microsoft",
        "cveId": "CVE-2021-42306",
        "datePublished": "2021-11-24T01:05:13.000Z",
        "dateReserved": "2021-10-12T00:00:00.000Z",
        "dateUpdated": "2024-08-04T03:30:38.252Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }