CVE-2021-1725

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Bot Framework SDK versions prior to the fixed version

Description The vulnerability is related to the lack of protection of service data in the Bot Framework SDK. It may allow a remote attacker to gain unauthorized access to protected information. A maliciously crafted claim may be incorrectly authenticated by the bot, impacting bots that are not configured to be used as a Skill. This issue requires an attacker to have internal knowledge of the bot.

Recommendations For versions prior to the fixed version, update to a patched version. As a temporary workaround, consider adding an authentication configuration containing ClaimsValidator, which throws an exception if Claims are Skill Claims. Restrict access to potentially vulnerable bots to minimize the risk of exploitation.

Fix

Improper Authentication

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-200

Related Identifiers

BDU:2021-00263

CVE-2021-1725

GHSA-CQFF-FX2X-P86V

GHSA-FVCJ-HVFW-7F2V

PYSEC-2021-422

Affected Products

Bot Framework Sdk

CVE-2021-1725

Weakness Enumeration

Related Identifiers

Affected Products

References · 17