{ "threat_severity" : "Moderate", "public_date" : "2024-07-01T00:00:00Z", "bugzilla" : { "description" : "azure-identity: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity", "id" : "2295081", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2295081" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability", "A flaw was found in Microsoft's Azure Identity Libraries and the Microsoft Authentication Library (MSAL). The flaw arises from a race condition—a scenario where the timing of events leads to unexpected behavior—during concurrent operations on shared resources. This can result in privilege escalation, allowing attackers to gain unauthorized access to sensitive information. The vulnerability affects multiple versions of these libraries across various programming languages, including Java, .NET, Node.js, Python, JavaScript, C++, and Go. Microsoft has addressed this issue by releasing updated versions of the affected libraries. Users are strongly advised to upgrade to these patched versions to mitigate potential security risks." ], "statement" : "Red Hat build of Apache Camel for Spring boot is not affected as 4.4.1 was released containing a fixed version of the Azure Identity Library.", "affected_release" : [ { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "release_date" : "2024-09-24T00:00:00Z", "advisory" : "RHSA-2024:7052", "cpe" : "cpe:/a:redhat:camel_quarkus:3.8", "package" : "com.azure/azure-identity" }, { "product_name" : "Red Hat Developer Hub 1.3 on RHEL 9", "release_date" : "2024-10-02T00:00:00Z", "advisory" : "RHBA-2024:7523", "cpe" : "cpe:/a:redhat:rhdh:1.3::el9", "package" : "rhdh/rhdh-hub-rhel9:1.3-100" }, { "product_name" : "cert-manager operator for Red Hat OpenShift 1.15", "release_date" : "2025-01-21T00:00:00Z", "advisory" : "RHSA-2025:0536", "cpe" : "cpe:/a:redhat:cert_manager:1.15::el9", "package" : "cert-manager/jetstack-cert-manager-acmesolver-rhel9:sha256:2e4eae54c75591d3dacd8165159397a63d6f695a1f733d12623652705ad40173" }, { "product_name" : "cert-manager operator for Red Hat OpenShift 1.15", "release_date" : "2025-01-21T00:00:00Z", "advisory" : "RHSA-2025:0536", "cpe" : "cpe:/a:redhat:cert_manager:1.15::el9", "package" : "cert-manager/jetstack-cert-manager-rhel9:sha256:30d0113003152532d29a845550a78454a1f88099e90b475711ab74901560c67e" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "aap-cloud-metrics-collector-container", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-minimal-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ansible-builder-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-cloud-services-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/platform-resource-runner-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Will not fix", "package_name" : "com.azure/azure-identity", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Not affected", "package_name" : "com.azure/azure-identity", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Will not fix", "package_name" : "com.azure/azure-identity", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Not affected", "package_name" : "rhdh-operator-container", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "fence-agents", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "com.azure/azure-identity", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/mcg-core-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/code-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-35255\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-35255\nhttps://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499\nhttps://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340\nhttps://github.com/advisories/GHSA-m5vv-6r4h-3vj9\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255" ], "name" : "CVE-2024-35255", "csaw" : false }