ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected

Vulnerability

Description

The vulnerability resides in the ICG.AspNetCore.Utilities.CloudStorage library, a set of wrappers for Microsoft Azure Storage APIs. The CreateSASUrl method was intended to accept a tokenDuration parameter to control the SAS URL's expiration, but the implementation incorrectly used a hardcoded value of DateTimeOffset.UtcNow.AddHours(1) instead of the user-supplied duration [4]. As a result, SAS URLs always expired in exactly one hour, ignoring the configured token duration [1].

Exploitation

The mismatch between the requested and actual token duration means that users who expected a shorter-lived SAS URL (e.g., for security) received one that lived longer than intended, potentially widening the window of unauthorized access. Conversely, users who expected a longer duration received a shorter one, which could cause application failures. The attack surface is limited to scenarios where an attacker can intercept or obtain a SAS URL that was intended to have a short lifespan; the bug does not introduce remote code execution or require authentication bypass beyond the SAS URL itself [2][3].

Impact

An attacker who gains access to a SAS URL generated by the vulnerable library could use it for a longer period than the developer anticipated, granting extended access to the underlying Azure Blob Storage resource (e.g., read, write, or delete depending on the SAS permissions). This increases the risk of data exposure or manipulation, though the exact privileges depend on the SAS token's configured permissions [2][3].

Mitigation

The issue has been fixed in version 8.0.0 of the library by replacing the hardcoded AddHours(1) with AddMinutes(tokenDuration) [4]. Users are advised to upgrade to the latest version immediately. No workaround is available for earlier versions. The NVD has not yet provided a CVSS score for this CVE [1].