[microsoft.identity.client.dll CWE-331 and CWE-259 vulnerabilities] #5218
Description
Library version used
microsoft.identity.client 4.61.3
.NET version
.net version 8
Scenario
ConfidentialClient - service to service (AcquireTokenForClient)
Is this a new or an existing app?
None
Issue description and reproduction steps
We are using below packages in our application
Microsoft.Identity.Web (3.0.1)
Microsoft.Identity.Web.UI (3.0.1)
Microsoft.Identity.Web.GraphServiceClient (3.0.1)
these packages are having the child package 'microsoft.identity.client(4.61.3)' and this is causing CWE-331 and CWE-259 vulnerability
Description
We are getting microsoft.identity.client.dll CWE-331 and CWE-259 vulnerabilities in our application
and below are locations for reference
microsoft.identity.client.dll
System.Nullable GetRefreshOnWithJitter(Cache.Items.MsalAccessTokenCacheItem) at "microsoft_identity_client_dll.Microsoft.Identity.Client.Internal.SilentRequestHelper"
microsoft.identity.client.dll
void !ctor() at "microsoft_identity_client_dll.Microsoft.Identity.Client.Cache.Items.MsalIdTokenCacheItem"
microsoft.identity.client.dll
void !ctor(string, System.DateTimeOffset, System.DateTimeOffset, System.DateTimeOffset, System.Nullable, string, string, string) at "microsoft_identity_client_dll.Microsoft.Identity.Client.Cache.Items.MsalIdTokenCacheItem"
microsoft.identity.client.dll
System.Threading.Tasks.Task StartDefaultOsBrowserAsync(string, bool) 90% at "microsoft_identity_client_dll.Microsoft.Identity.Client.Platforms.netcore.NetCorePlatformProxy"
microsoft.identity.client.dll
void MoveNext() at "microsoft_identity_client_dll.Microsoft.Identity.Client.SystemWebViewOptions._3COpenWithChromeEdgeBrowserAsync_3Ed__28"
Relevant code snippets
Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response