<p>Upgrade <code>Microsoft.Identity.Client</code> to version 4.59.1, 4.60.3 or higher.</p>

Improper Export of Android Application Components Affecting microsoft.identity.client package, versions [4.48.0,4.59.1) [4.60.0,4.60.3)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Threat Intelligence

EPSS 0.04% (9^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DOTNET-MICROSOFTIDENTITYCLIENT-6615953
published 17 Apr 2024
disclosed 16 Apr 2024
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 16 Apr 2024

New CVE-2024-27086 Open this link in a new tab CWE-926 Open this link in a new tab

How to fix?

Upgrade Microsoft.Identity.Client to version 4.59.1, 4.60.3 or higher.

Overview

Affected versions of this package are vulnerable to Improper Export of Android Application Components in AuthenticationAgentActivity.cs, which can allow denial of service to applications on the same device using MSAL.NET for authentication. A malicious application installed by the victim can block the victim from authenticating to those legitimate applications.

Note: Only Xamarin Android and .NET Android (MAUI) applications are vulnerable.

Workaround

This vulnerability can be avoided by setting android:exported to "false" in the microsoft.identity.client.AuthenticationAgentActivity config.

References

GitHub Commit