Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment

Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

N/A

密码学签名的验证不恰当

Fleet 数据伪造问题漏洞

Fleet是Fleet的一个开源的设备管理平台，支持多种操作系统和设备，帮助 IT 和安全团队进行设备管理、漏洞报告、MDM 等操作，免费且灵活。 Fleet存在数据伪造问题漏洞，该漏洞源于JWT签名未经验证，可能导致攻击者提交伪造的身份验证令牌并注册未经授权的设备。以下版本受到影响：4.78.3之前版本、4.77.1之前版本、4.76.2之前版本、4.75.2之前版本和4.53.3之前版本。

N/A

N/A