{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32016", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-01T21:57:32.953Z", "datePublished": "2025-04-09T15:48:57.328Z", "dateUpdated": "2025-04-09T20:45:42.880Z"}, "containers": {"cna": {"title": "Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "lang": "en", "description": "CWE-532: Insertion of Sensitive Information into Log File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg"}], "affected": [{"vendor": "AzureAD", "product": "microsoft-identity-web", "versions": [{"version": ">= 3.2.0, < 3.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-09T15:48:57.328Z"}, "descriptions": [{"lang": "en", "value": "Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. Service logs generated at the information level or credential descriptions containing local file paths with passwords, Base64 encoded values, or Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0."}], "source": {"advisory": "GHSA-rpq8-q44m-2rpg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-09T17:31:14.087025Z", "id": "CVE-2025-32016", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T20:45:42.880Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32016", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-09T17:31:14.087025Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T17:31:19.316Z"}}], "cna": {"title": "Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs", "source": {"advisory": "GHSA-rpq8-q44m-2rpg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "AzureAD", "product": "microsoft-identity-web", "versions": [{"status": "affected", "version": ">= 3.2.0, < 3.8.2"}]}], "references": [{"url": "https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg", "name": "https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. Service logs generated at the information level or credential descriptions containing local file paths with passwords, Base64 encoded values, or Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-09T15:48:57.328Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32016", "state": "PUBLISHED", "dateUpdated": "2025-04-09T20:45:42.880Z", "dateReserved": "2025-04-01T21:57:32.953Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-09T15:48:57.328Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft Identity Web is a library which contains a set of reusable classes used in conjunction with ASP.NET Core for integrating with the Microsoft identity platform (formerly Azure AD v2.0 endpoint) and AAD B2C. This vulnerability affects confidential client applications, including daemons, web apps, and web APIs. Under specific circumstances, sensitive information such as client secrets or certificate details may be exposed in the service logs of these applications. Service logs are intended to be handled securely. Service logs generated at the information level or credential descriptions containing local file paths with passwords, Base64 encoded values, or Client secret. Additionally, logs of services using Base64 encoded certificates or certificate paths with password credential descriptions are also affected if the certificates are invalid or expired, regardless of the log level. Note that these credentials are not usable due to their invalid or expired status. To mitigate this vulnerability, update to Microsoft.Identity.Web 3.8.2 or Microsoft.Identity.Abstractions 9.0.0."}, {"lang": "es", "value": "Microsoft Identity Web es una librer\u00eda que contiene un conjunto de clases reutilizables que se utilizan junto con ASP.NET Core para la integraci\u00f3n con la plataforma de identidad de Microsoft (anteriormente, endpoint de Azure AD v2.0) y AAD B2C. Esta vulnerabilidad afecta a aplicaciones cliente confidenciales, como daemons, aplicaciones web y API web. En circunstancias espec\u00edficas, informaci\u00f3n confidencial, como secretos de cliente o detalles de certificados, puede quedar expuesta en los registros de servicio de estas aplicaciones. Los registros de servicio est\u00e1n dise\u00f1ados para gestionarse de forma segura. Los registros de servicio generados a nivel de informaci\u00f3n o descripciones de credenciales contienen rutas de archivos locales con contrase\u00f1as, valores codificados en Base64 o secretos de cliente. Adem\u00e1s, los registros de servicios que utilizan certificados codificados en Base64 o rutas de certificados con descripciones de credenciales de contrase\u00f1a tambi\u00e9n se ven afectados si los certificados no son v\u00e1lidos o han caducado, independientemente del nivel de registro. Tenga en cuenta que estas credenciales no se pueden utilizar debido a su estado no v\u00e1lido o caducado. Para mitigar esta vulnerabilidad, actualice a Microsoft.Identity.Web 3.8.2 o Microsoft.Identity.Abstractions 9.0.0."}], "id": "CVE-2025-32016", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-04-09T16:15:24.770", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/AzureAD/microsoft-identity-web/security/advisories/GHSA-rpq8-q44m-2rpg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}