Summary
An elevation of privilege vulnerability exists when the Azure Active Directory Passport library (Passport-Azure-AD for Node.js) incorrectly validates ID tokens.
An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user's identity claims. This update addresses the vulnerability by correcting how ID tokens are validated when Passport strategies take advantage of Azure Active Directory.Frequently asked questions about this vulnerability
Q1: I use Azure Active Directory. Am I affected?
A1: This vulnerability only affects web applications that use the Passport-Azure-AD for Node.js library to take advantage of Azure AD for authentication. Standard Azure AD authentication that does not use the Passport-Azure-AD for Node.js library is not affected. The vulnerability exists in web applications that use outdated versions of the Passport-Azure-AD for Node.js library. Q2: What is Passport-Azure-AD for Node.js? A2: Passport-Azure-AD for Node.js is a collection of Passport strategies that help you integrate your node applications with Azure Active Directory. It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization. These providers let you use the many features of Passport-Azure-AD for Node.js, including web single sign-on (WebSSO), Endpoint Protection with OAuth, and JWT token issuance and validation.Update information
Developers who use the Passport Azure AD Node.js library must download the latest version of the Passport-Azure-AD for Node.js library, and then update their applications. The technical details are published in our GitHub repository. Developers who use version 1.x must update to version 1.4.6. Developers who use version 2.0 must update to version 2.0.1.
Status
Microsoft has confirmed that this is a problem in the Passport-Azure-AD for Node.js library.
References
CVE number: 2016-7191terminology that Microsoft uses to describe software updates.
Learn about the