CVE-2014-6331
Published on: 11/11/2014 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:25:55 PM UTC
Certain versions of Active Directory Federation Services from Microsoft contain the following vulnerability:
Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability."
- CVE-2014-6331 has been assigned by
[email protected] to track the vulnerability
CVSS2 Score: 5 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Assessing Risk for the November 2014 Security Updates - Security Research & Defense - Site Home - TechNet Blogs | Vendor Advisory blogs.technet.com text/html |
![]() |
Microsoft Active Directory Federation Services Logout Failure Lets Local Users Access the Target User's Account - SecurityTracker | www.securitytracker.com text/html |
![]() |
Microsoft Active Directory Federation Services CVE-2014-6331 Information Disclosure Vulnerability | cve.report (archive) text/html |
![]() |
Microsoft Security Bulletin MS14-077 - Important | Microsoft Docs | docs.microsoft.com text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Microsoft | Active Directory Federation Services | 2.0 | All | All | All |
Application | Microsoft | Active Directory Federation Services | 2.1 | All | All | All |
Application | Microsoft | Active Directory Federation Services | 3.0 | All | All | All |
Application | Microsoft | Active Directory Federation Services | 2.0 | All | All | All |
Application | Microsoft | Active Directory Federation Services | 2.1 | All | All | All |
Application | Microsoft | Active Directory Federation Services | 3.0 | All | All | All |
Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
Operating System | Microsoft | Windows 2008 | r2 | sp2 | All | All |
Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
Operating System | Microsoft | Windows 2008 | r2 | sp2 | All | All |
Operating System | Microsoft | Windows Server 2012 | All | All | All | All |
Operating System | Microsoft | Windows Server 2012 | r2 | All | All | All |
Operating System | Microsoft | Windows Server 2012 | All | All | All | All |
Operating System | Microsoft | Windows Server 2012 | r2 | All | All | All |
- cpe:2.3:a:microsoft:active_directory_federation_services:2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:active_directory_federation_services:2.1:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:active_directory_federation_services:3.0:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:active_directory_federation_services:2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:active_directory_federation_services:2.1:*:*:*:*:*:*:*:
- cpe:2.3:a:microsoft:active_directory_federation_services:3.0:*:*:*:*:*:*:*:
- cpe:2.3:o:microsoft:windows_2008:*:sp2:*:*:*:*:x64:*:
- cpe:2.3:o:microsoft:windows_2008:*:sp2:*:*:*:*:x86:*:
- cpe:2.3:o:microsoft:windows_2008:r2:sp2:*:*:*:*:x64:*:
- cpe:2.3:o:microsoft:windows_2008:*:sp2:*:*:*:*:x64:*:
- cpe:2.3:o:microsoft:windows_2008:*:sp2:*:*:*:*:x86:*:
- cpe:2.3:o:microsoft:windows_2008:r2:sp2:*:*:*:*:x64:*:
- cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:x64:*:*:
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:x64:*:*:
- cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:x64:*:*:
- cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:x64:*:*:
No vendor comments have been submitted for this CVE