CVE-2014-6331
Summary
| CVE | CVE-2014-6331 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-11-11 22:55:00 UTC |
| Updated | 2018-10-12 22:07:00 UTC |
| Description | Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability." |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Microsoft | Active Directory Federation Services | 2.0 | All | All | All |
| Application | Microsoft | Active Directory Federation Services | 2.1 | All | All | All |
| Application | Microsoft | Active Directory Federation Services | 3.0 | All | All | All |
| Application | Microsoft | Active Directory Federation Services | 2.0 | All | All | All |
| Application | Microsoft | Active Directory Federation Services | 2.1 | All | All | All |
| Application | Microsoft | Active Directory Federation Services | 3.0 | All | All | All |
| Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
| Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
| Operating System | Microsoft | Windows 2008 | r2 | sp2 | All | All |
| Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
| Operating System | Microsoft | Windows 2008 | All | sp2 | All | All |
| Operating System | Microsoft | Windows 2008 | r2 | sp2 | All | All |
| Operating System | Microsoft | Windows Server 2012 | All | All | All | All |
| Operating System | Microsoft | Windows Server 2012 | r2 | All | All | All |
| Operating System | Microsoft | Windows Server 2012 | All | All | All | All |
| Operating System | Microsoft | Windows Server 2012 | r2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Assessing Risk for the November 2014 Security Updates - Security Research & Defense - Site Home - TechNet Blogs | CONFIRM | blogs.technet.com | Vendor Advisory |
| Microsoft Active Directory Federation Services Logout Failure Lets Local Users Access the Target User's Account - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Microsoft Active Directory Federation Services CVE-2014-6331 Information Disclosure Vulnerability | BID | www.securityfocus.com | |
| Microsoft Security Bulletin MS14-077 - Important | Microsoft Docs | MS | docs.microsoft.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.