CVE-2021-42306

Name of the Vulnerable Software and Affected Versions Azure Active Directory (AAD) (affected versions not specified) Azure Automation (affected versions not specified) Azure Site Recovery (affected versions not specified) Azure Migrate (affected versions not specified)

Description The issue is related to shortcomings in the authentication procedure, which can allow a remote attacker to gain unauthorized access to protected information. Specifically, an information disclosure vulnerability occurs when a user or application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal. This vulnerability enables a user or service in the tenant with application read access to read the private key data that was added to the application.

Recommendations For Azure Active Directory (AAD), to prevent disclosure of any private key values added to the application, ensure that private key data is protected and not uploaded as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal. As a temporary workaround, consider restricting access to the keyCredential property in Azure AD Application and Service Principal APIs until a patch is available. For Azure Automation, Azure Site Recovery, and Azure Migrate, at the moment, there is no information about a newer version that contains a fix for this vulnerability.