azure.identity.1.3.0.nupkg: 3 vulnerabilities (highest severity is: 8.8)

[mend-for-github-com[bot]]

Vulnerable Library - azure.identity.1.3.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg

Path to dependency file: /Source/CompanyCommunicator/Microsoft.Teams.Apps.CompanyCommunicator.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (azure.identity.1.3.0.nupkg version)	Remediation Possible**	Reachability
CVE-2023-36414	High	8.8	azure.identity.1.3.0.nupkg	Direct	Azure.Identity - 1.10.2	✅
CVE-2024-35255	Medium	5.5	azure.identity.1.3.0.nupkg	Direct	@azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0	✅
CVE-2024-29992	Medium	5.5	azure.identity.1.3.0.nupkg	Direct	Azure.Identity - 1.11.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-36414

### Vulnerable Library - azure.identity.1.3.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg

Path to dependency file: /Source/CompanyCommunicator/Microsoft.Teams.Apps.CompanyCommunicator.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg

Dependency Hierarchy: - :x: **azure.identity.1.3.0.nupkg** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Azure Identity SDK Remote Code Execution Vulnerability

Publish Date: 2023-10-10

URL: CVE-2023-36414

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-36414

Release Date: 2023-10-10

Fix Resolution: Azure.Identity - 1.10.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-35255

### Vulnerable Library - azure.identity.1.3.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg

Path to dependency file: /Source/CompanyCommunicator/Microsoft.Teams.Apps.CompanyCommunicator.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg

Dependency Hierarchy: - :x: **azure.identity.1.3.0.nupkg** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Publish Date: 2024-06-11

URL: CVE-2024-35255

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-m5vv-6r4h-3vj9

Release Date: 2024-06-11

Fix Resolution: @azure/identity - 4.2.1, @azure/msal-node - 2.9.1, Azure.Identity - 1.11.4, Microsoft.Identity.Client - 4.61.3, azure-identity - 1.16.1, com.azure:azure-identity:1.12.2, github.com/Azure/azure-sdk-for-go/sdk/azidentity - 1.6.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2024-29992

### Vulnerable Library - azure.identity.1.3.0.nupkg

This is the implementation of the Azure SDK Client Library for Azure Identity

Library home page: https://api.nuget.org/packages/azure.identity.1.3.0.nupkg

Path to dependency file: /Source/CompanyCommunicator/Microsoft.Teams.Apps.CompanyCommunicator.csproj

Path to vulnerable library: /home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg,/home/wss-scanner/.nuget/packages/azure.identity/1.3.0/azure.identity.1.3.0.nupkg

Dependency Hierarchy: - :x: **azure.identity.1.3.0.nupkg** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Azure Identity Library for .NET Information Disclosure Vulnerability

Publish Date: 2024-04-09

URL: CVE-2024-29992

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wvxc-855f-jvrv

Release Date: 2024-04-09

Fix Resolution: Azure.Identity - 1.11.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.