An attacker who successfully exploits this vulnerability could receive a token granting higher privilege than should be granted for an application.
This issue occurs in scenarios that include the On Behalf Of protocol flow and specific use cases of ClientAssertion/ClientAssertionCertificate/ClientCredential and UserAssertion being passed to the AcquireToken* API.
Frequently asked questions about this vulnerabilityQ1: What is Active Directory Authentication Library for .NET?
A1: The Active Directory Authentication Library (ADAL) for .NET provides easy to use authentication functionality for .NET clients and Windows Store applications.
Q2: Which versions of Active Directory Authentication Library for .NET (ADAL .NET) are affected?
A2: There are two issues that have different behavior that occur in different ADAL versions. These versions are as follows:
- ADAL versions 2.0.x to 2.21.x inclusive and ADAL versions 3.0.x to 3.5.x inclusive.
- ADAL versions 2.25.x to 2.27.x inclusive and ADAL versions 3.10.x to 3.11.x inclusive.
Q3: I use Azure Active Directory. Am I affected?
A3: This vulnerability affects only applications that use specific versions of the ADAL .NET under specific conditions. This issue does not affect the Azure Active Directory service or Microsoft or Azure infrastructure.
Article ID: 3190237 - Last Review: Sep 7, 2016 - Revision: 1