FKIE_CVE-2025-32016

Vulnerability from fkie_nvd - Published: 2025-04-09 16:15 - Updated: 2025-04-09 20:02
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. Service logs generated at the information level or credential descriptions containing local file paths with passwords, Base64 encoded values, or Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0.
References
security-advisories@github.comhttps://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. Service logs generated at the information level or credential descriptions containing local file paths with passwords, Base64 encoded values, or Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0."
    },
    {
      "lang": "es",
      "value": "Microsoft Identity Web es una librer\u00eda que contiene un conjunto de clases reutilizables que se utilizan junto con ASP.NET Core para la integraci\u00f3n con la plataforma de identidad de Microsoft (anteriormente, endpoint de Azure AD v2.0) y AAD B2C. Esta vulnerabilidad afecta a aplicaciones cliente confidenciales, como daemons, aplicaciones web y API web. En circunstancias espec\u00edficas, informaci\u00f3n confidencial, como secretos de cliente o detalles de certificados, puede quedar expuesta en los registros de servicio de estas aplicaciones. Los registros de servicio est\u00e1n dise\u00f1ados para gestionarse de forma segura. Los registros de servicio generados a nivel de informaci\u00f3n o descripciones de credenciales contienen rutas de archivos locales con contrase\u00f1as, valores codificados en Base64 o secretos de cliente. Adem\u00e1s, los registros de servicios que utilizan certificados codificados en Base64 o rutas de certificados con descripciones de credenciales de contrase\u00f1a tambi\u00e9n se ven afectados si los certificados no son v\u00e1lidos o han caducado, independientemente del nivel de registro. Tenga en cuenta que estas credenciales no se pueden utilizar debido a su estado no v\u00e1lido o caducado. Para mitigar esta vulnerabilidad, actualice a Microsoft.Identity.Web 3.8.2 o Microsoft.Identity.Abstractions 9.0.0."
    }
  ],
  "id": "CVE-2025-32016",
  "lastModified": "2025-04-09T20:02:41.860",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-09T16:15:24.770",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.