Azure Active Directory Security Feature Bypass Vulnerability - CVE-2023-36871ID: oval:org.secpod.oval:def:90891 | Date: (C)2023-07-13 (M)2024-03-06 |
Class: VULNERABILITY | Family: windows |
Azure Active Directory Security Feature Bypass Vulnerability. An attacker would require access to a low privileged session on the user's device to obtain a JWT (JSON Web Token) which can then be used to craft a long-lived assertion using the Windows Hello for Business Key from the victim's device. By exploiting this vulnerability, an attacker can craft a long-lived assertion and impersonate a victim user affecting the integrity of the assertion. An attacker can bypass Windows Trusted Platform Module by crafting an assertion and using the assertion to request a Primary Refresh Token from another device.
Platform: |
Microsoft Windows 10 |
Microsoft Windows 11 |
Microsoft Windows Server 2016 |
Microsoft Windows Server 2019 |
Microsoft Windows Server 2022 |