Vulnerability Description
Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Active Directory Federation Services | 2.1 |
| Microsoft | Windows Server 2012 | All versions |
| Microsoft | Windows 2008 | All versions |
Related Weaknesses (CWE)
References
- http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-novembeVendor Advisory
- http://www.securityfocus.com/bid/70938
- http://www.securitytracker.com/id/1031195
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-07
- http://blogs.technet.com/b/srd/archive/2014/11/11/assessing-risk-for-the-novembeVendor Advisory
- http://www.securityfocus.com/bid/70938
- http://www.securitytracker.com/id/1031195
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-07
FAQ
What is CVE-2014-6331?
CVE-2014-6331 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easie...
How severe is CVE-2014-6331?
CVE-2014-6331 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-6331?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Active Directory Federation Services, Microsoft Windows Server 2012, Microsoft Windows 2008.