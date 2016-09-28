Microsoft Azure Active Directory Passport 2.0.0 Bypass a restriction or similar Vulnerability
21 Dec. 2016
Summary
The Microsoft Azure Active Directory Passport (aka Passport-Azure-AD) library 1.x before 1.4.6 and 2.x before 2.0.1 for Node.js does not recognize the validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token.
Vulnerable Systems:
* Microsoft Azure Active Directory Passport 1.0.0
* Microsoft Azure Active Directory Passport 1.1.0
* Microsoft Azure Active Directory Passport 1.1.1
* Microsoft Azure Active Directory Passport 1.2.0
* Microsoft Azure Active Directory Passport 1.3.0
* Microsoft Azure Active Directory Passport 1.3.1
* Microsoft Azure Active Directory Passport 1.3.2
* Microsoft Azure Active Directory Passport 1.3.3
* Microsoft Azure Active Directory Passport 1.3.4
* Microsoft Azure Active Directory Passport 1.3.5
* Microsoft Azure Active Directory Passport 1.3.6
* Microsoft Azure Active Directory Passport 1.4.0
* Microsoft Azure Active Directory Passport 1.4.1
* Microsoft Azure Active Directory Passport 1.4.2
* Microsoft Azure Active Directory Passport 1.4.3
* Microsoft Azure Active Directory Passport 1.4.4
* Microsoft Azure Active Directory Passport 1.4.5
* Microsoft Azure Active Directory Passport 2.0.0
An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user's identity claims. This update addresses the vulnerability by correcting how ID tokens are validated when Passport strategies take advantage of Azure Active Directory.