Miggo Logo
Miggo Vulnerability Database
CVE-2024-29992

CVE-2024-29992:
Azure Identity Library for .NET Information Disclosure Vulnerability

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-29992
GHSA ID
GHSA-wvxc-855f-jvrv
EPSS Score
0.60817%
CWE
CWE-522
Published
4/9/2024
Updated
4/11/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Azure.Identitynuget< 1.11.01.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of IMDS probe requests in managed identity scenarios. The changelog explicitly states that pre-1.11.0 versions of DefaultAzureCredential used retries for IMDS probes, which could lead to prolonged exposure of credential metadata or error leakage. The patch in 1.11.0 specifically addresses this by eliminating retries. Both ManagedIdentityCredential (the component interacting directly with IMDS) and DefaultAzureCredential (the credential chain coordinator) are implicated in this behavioral change, making their token acquisition methods the most likely vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*zur* I**ntity Li*r*ry *or .N*T In*orm*tion *is*losur* Vuln*r**ility

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* IM*S pro** r*qu*sts in m*n**** i**ntity s**n*rios. T** ***n**lo* *xpli*itly st*t*s t**t pr*-*.**.* v*rsions o* `****ult*zur**r***nti*l` us** r*tri*s *or IM*S pro**s, w*i** *oul* l*** to prolon*** *xpo