CVE & CISA-KEV Catalog

CVE-2021-42306

HIGHEPSS 86th pctl
8.1
CVSS v3
NVD

Description

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.

How to fix

Remediation Available
azure active directoryNVD
Affected:< 2021-10-30Fixed in:2021-10-30CVE-2021-42306derived from NVD
azure active site recoveryNVD
Affected:< 2021-11-01Fixed in:2021-11-01CVE-2021-42306derived from NVD
azure automationNVD
Affected:< 2021-10-15Fixed in:2021-10-15CVE-2021-42306derived from NVD
azure migrateNVD
Affected:< 2021-11-02Fixed in:2021-11-02CVE-2021-42306derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploit Intelligence

3.08%probability of exploitation in 30 days
86thpercentile

Elevated risk: more likely to be exploited than 86% of all known CVEs.

References

Embed a live status badge for CVE-2021-42306
CVE-2021-42306 severity badge

Markdown

[![CVE-2021-42306](https://tridentstack.com/cve/badge/CVE-2021-42306.svg)](https://tridentstack.com/cve/CVE-2021-42306)

HTML

<a href="https://tridentstack.com/cve/CVE-2021-42306"><img src="https://tridentstack.com/cve/badge/CVE-2021-42306.svg" alt="CVE-2021-42306"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-02-24.