PT-2026-22830 · Microsoft+1 · Azure Ad+2
Truff5.1
·
Publicado
2026-03-03
·
Atualizado
2026-03-04
·
CVE-2026-3224
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Devolutions Server versions 2025.3.15.0 and earlier
Description
An authentication bypass exists in the Microsoft Entra ID (Azure AD) authentication mode. An unauthenticated user can authenticate as an arbitrary Entra ID user by using a forged JSON Web Token (JWT). The issue affects the
/api/v1/login endpoint, where a malicious actor can manipulate the JWT parameter to gain unauthorized access.Recommendations
Versions prior to 2025.3.15.0 should be updated.
Correção
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Azure Ad
Devolutions Server
Entra Id