Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ADMINAPI-993] Token Permissions Fixes #121

Merged
merged 3 commits into from
May 2, 2024
Merged

[ADMINAPI-993] Token Permissions Fixes #121

merged 3 commits into from
May 2, 2024

Conversation

msilesgap
Copy link
Contributor

No description provided.

@msilesgap msilesgap requested a review from a team as a code owner May 2, 2024 17:52
@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024
edited
Loading

🔍 Vulnerabilities of postgres:latest

📦 Image Reference postgres:latest
digestsha256:4937aa603305643b8bf436d0dd541ae33a1d1059737e9ea3007d75db278a05d4
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 1
platformlinux/amd64
size76 MB
packages433
📦 Base Image mcr.microsoft.com/dotnet/runtime:8.0-alpine
digestsha256:895cf81760e6cc062b46066dac4b5aa3d9962a7926385ff8b4ba6fc6bdc16920
vulnerabilitiescritical: 0 high: 0 medium: 0 low: 0 unspecified: 1
critical: 0 high: 0 medium: 0 low: 1 Microsoft.Identity.Client 4.56.0.0 (nuget)

pkg:nuget/[email protected]

low 3.9: CVE--2024--27086 Incorrect Authorization

Affected range>=4.48.0
<4.59.1
Fixed version4.59.1
CVSS Score3.9
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Description

[!IMPORTANT]
ONLY applications targeting Xamarin Android and .NET Android (MAUI) are impacted. All others can safely dismiss this CVE.

Impact

MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.3 (inclusive, except 4.59.1 and 4.60.3) are impacted by a low severity vulnerability.

A malicious application running on a customer Android device can (1) inject HTML/JavaScript in an embedded web view exported by affected applications, or (2) cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.

Patches

MSAL.NET version 4.60.3 includes the fix. We recommend all users of MSAL.NET that are building public client applications for Android update to the latest version.

Workarounds

We recommend developers update to the latest version of MSAL.NET. If that is not possible, a developer may explicitly mark the MSAL.NET activity non-exported:

<activity android:name="microsoft.identity.client.AuthenticationAgentActivity" android:configChanges="orientation|screenSize" android:exported="false">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="msalYOUR_CLIENT_ID" android:host="auth" />
</intent-filter>
</activity>

References

Refer to MSAL.NET documentation for latest guidance and best practices on configuring client applications using the library.

@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2024
edited
Loading

Test Results

14 tests   14 ✅  0s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit b60846a.

♻️ This comment has been updated with latest results.

@stephenfuqua stephenfuqua merged commit fd7cbfe into main May 2, 2024
15 checks passed
@stephenfuqua stephenfuqua deleted the ADMINAPI-993 branch May 2, 2024 21:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephenfuqua stephenfuqua stephenfuqua approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@msilesgap @stephenfuqua