Security update for the Passport-Azure-AD for Node.js library

An elevation of privilege vulnerability exists when the Azure Active Directory Passport library (Passport-Azure-AD for Node.js) incorrectly validates ID tokens.

An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user's identity claims. This update addresses the vulnerability by correcting how ID tokens are validated when Passport strategies take advantage of Azure Active Directory.

Frequently asked questions about this vulnerability

Q1: I use Azure Active Directory. Am I affected?

A1: This vulnerability only affects web applications that use the Passport-Azure-AD for Node.js library to take advantage of Azure AD for authentication. Standard Azure AD authentication that does not use the Passport-Azure-AD for Node.js library is not affected. The vulnerability exists in web applications that use outdated versions of the Passport-Azure-AD for Node.js library.

Q2: What is Passport-Azure-AD for Node.js?

A2: Passport-Azure-AD for Node.js is a collection of Passport strategies that help you integrate your node applications with Azure Active Directory. It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization. These providers let you use the many features of Passport-Azure-AD for Node.js, including web single sign-on (WebSSO), Endpoint Protection with OAuth, and JWT token issuance and validation.