CVE-2024-35255
Aliases:GHSA-m5vv-6r4h-3vj9GO-2024-2918
Advisory lineage Upstream: 0 Downstream: 5
Modified
Published: 11 Jun 2024, 16:59
Last modified:17 Dec 2025, 22:23
Vulnerability Summary
Overall Risk (default)
low
22/100 CVSS Score
5.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.22% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
11 Jun 2024, 16:59
Published
Vulnerability first disclosed
17 Dec 2025, 22:23
Last Modified
Vulnerability information updated
Description
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVSS Metrics
- v4.0•MEDIUM•Score: 6.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Trends
Current EPSS score: 0.22%• Percentile: 45%
Techniques & Countermeasures
- CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Affected Systems
- github.com/Azure/azure-sdk-for-go/sdk•azidentity
< 1.6.0 | < 1.6.0-beta.4.0.20240610221955-50774cd97099
- com.azure•azure-identity
< 1.12.2
- com.microsoft.azure•msal4j
≥ 1.14.4-beta, < 1.15.1
- microsoft•authentication_library
< 1.15.1 | ≤ 2.9.2 | < 4.61.3
- microsoft•azure identity library
≥ 1.0.0, < 1.6.0
- microsoft•azure identity library for c++
≥ 1.0.0, < 1.8.0
- microsoft•azure identity library for java
≥ 1.0.0, < 1.12.2
- microsoft•azure identity library for javascript
≥ 1.0.0, < 4.2.1
- microsoft•azure_identity_library_for_.net
≥ 1.0.0, < 1.11.4
- microsoft•azure identity library for python
≥ 1.0.0, < 1.16.1
- microsoft•azure_identity_sdk
< 1.6.0 | < 1.8.0 | < 1.11.4 | < 1.12.2 | < 1.16.1 | < 4.2.1
- microsoft•microsoft authentication library
≥ 1.0.0, < 1.15.1
- @azure•identity
< 4.2.1
- @azure•msal-node
≥ 2.7.0, < 2.9.2
- NuGet•Azure.Identity
< 1.11.4
- NuGet•Microsoft.Identity.Client
≥ 4.49.1, < 4.60.4 | ≥ 4.61.0, < 4.61.3
- PyPI•azure-identity
< 1.16.1
References (9)
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255
- https://nvd.nist.gov/vuln/detail/CVE-2024-35255
- https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340
- https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499
- https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d
- https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492
- https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53
- https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178
- https://github.com/advisories/GHSA-m5vv-6r4h-3vj9