MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure
2013-08-13 This security update resolves a privately reported vulnerability in Active Directory Federation Services (AD FS). The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.
Vulnerabilities addressed in this bulletin:
Bulletin details at Microsoft.com
Vulnerabilities addressed in this bulletin:
- AD FS Information Disclosure Vulnerability
- An information disclosure vulnerability exists in Active Directory Federation Services (AD FS) that could allow the unintentional disclosure of account information.
CVE-2013-3185
Bulletin details at Microsoft.com
Related CVE Entries
Microsoft Active Directory Federation Services (AD FS) 1.x through 2.1 on Windows Server 2003 R2 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 allows remote attackers to obtain sensitive information about the service account, and possibly conduct account-lockout attacks, by connecting to an endpoint, aka "AD FS Information Disclosure Vulnerability."
Max CVSS
5.0
EPSS Score
1.56%
Published
2013-08-14
Updated
2020-09-28