Lucene search
GoogleOSV:GHSA-CQFF-FX2X-P86VHistoryMar 08, 2021 - 3:50 p.m.
Improper Authentication
2021-03-0815:50:10
Google
osv.dev
11
0.0004 Low
EPSS
Percentile
9.5%
Impact
A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.
Patches
The problem has been patched in all affected versions. Please see the list of patched versions for the most appropiate one for your individual case.
Workarounds
Users who do not wish or are not able to upgrade can add an authentication configuration containing ClaimsValidator, which throws an exception if Claims are Skill Claims.
For detailed instructions, see the link in the References section.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Microsoft Bot Builder SDK
- Email us at [email protected]
Related
github
github
botframework-connector vulnerable to Improper Authentication
2021-03-08 15:49:53
osv
osv
botframework-connector vulnerable to Improper Authentication
2021-03-08 15:49:53
PYSEC-2021-422
2021-01-12 20:15:00
nvd
nvd
CVE-2021-1725
2021-01-12 20:15:35
cvelist
cvelist
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability
2021-01-12 19:42:47
cve
cve
CVE-2021-1725
2021-01-12 20:15:35
mscve
mscve
Bot Framework SDK Information Disclosure Vulnerability
2021-01-12 08:00:00
veracode
veracode
Authentication Bypass
2021-03-09 01:06:03
nodejs
nodejs
Improper Authentication
2021-03-08 15:57:38
prion
prion
Information disclosure
2021-01-12 20:15:00
kaspersky
kaspersky
KLA12040 Multiple vulnerability in Microsoft Developer Tools
2021-01-12 00:00:00
rapid7blog
rapid7blog
Patch Tuesday - January 2021
2021-01-12 23:59:00