Microsoft Identity Web Sensitive Information Exposure Vulnerability in Service Logs

A vulnerability in Microsoft Identity Web versions 3.2.0 prior to 3.8.2 has been identified, affecting confidential client applications such as daemons, web apps, and web APIs. Under certain conditions, this vulnerability can lead to the exposure of sensitive information, including client secrets and certificate details, in the service logs of these applications. The issue arises when logs are generated at the information level and contain specific credential descriptions, such as local file paths with passwords, Base64 encoded values, or client secrets. Additionally, logs may be affected by invalid or expired certificates, regardless of the log level. It is important to note that the exposed credentials are not usable due to their invalid or expired status.

Impact

The vulnerability can result in the unintentional logging of sensitive information, such as client secrets and certificate details, in a manner that could be accessed by unauthorized individuals or processes.

Remediation

To address this vulnerability, users should update to Microsoft.Identity.Web version 3.8.2 or Microsoft.Identity.Abstractions version 9.0.0. In production environments, it is recommended to avoid using ClientCredentials with certain credential descriptions and instead use certificates from KeyVault or a certificate store, or Federation identity credentials with Managed identity.