Update dependency Azure.Identity to 1.11.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Azure.Identity (source)	1.8.2 → 1.11.4

---

Azure Identity SDK Remote Code Execution Vulnerability

CVE-2023-36414 / GHSA-5mfx-4wcx-rv27

More information

Details

Azure Identity SDK is vulnerable to remote code execution.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-36414
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414
• https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/CHANGELOG.md#1102-2023-10-10
• https://github.com/advisories/GHSA-5mfx-4wcx-rv27

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Azure Identity Library for .NET Information Disclosure Vulnerability

CVE-2024-29992 / GHSA-wvxc-855f-jvrv

More information

Details

Azure Identity Library for .NET Information Disclosure Vulnerability

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-29992
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29992
• https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/CHANGELOG.md#1110-2024-04-09
• https://github.com/advisories/GHSA-wvxc-855f-jvrv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

CVE-2024-35255 / GHSA-m5vv-6r4h-3vj9

More information

Details

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-35255
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255
• https://github.com/Azure/azure-sdk-for-go/commit/50774cd9709905523136fb05e8c85a50e8984499
• https://github.com/Azure/azure-sdk-for-js/commit/c6aa75d312ae463e744163cedfd8fc480cc8d492
• https://github.com/Azure/azure-sdk-for-python/commit/cb065acd7d0f957327dc4f02d1646d4e51a94178
• https://github.com/Azure/azure-sdk-for-java/commit/5bf020d6ea056de40e2738e3647a4e06f902c18d
• https://github.com/Azure/azure-sdk-for-net/commit/9279a4f38bf69b457cfb9b354f210e0a540a5c53
• https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/4806#issuecomment-2178960340
• https://github.com/advisories/GHSA-m5vv-6r4h-3vj9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

Azure/azure-sdk-for-net (Azure.Identity)

v1.11.4

Compare Source

1.11.4 (2024-06-10)

Bugs Fixed

• Managed identity bug fixes

v1.11.3

Compare Source

1.11.3 (2024-05-07)

Bugs Fixed

• Fixed a regression in DefaultAzureCredential probe request behavior for IMDS managed identity environments. #​43796

v1.11.2

Compare Source

1.11.2 (2025-08-11)

Features Added

• Make Azure.ResourceManager.Network AOT-compatible

Bugs Fixed

• Fixed an issue in ManagedRuleSetRuleGroup deserialization where rule IDs could be either strings or numbers in JSON, causing InvalidOperationException when parsing mixed-type arrays.

v1.11.1

Compare Source

1.11.1 (2024-05-07)

Other Changes

• Updated Microsoft.Identity.Client and related dependencies to version 4.60.3

v1.11.0

Compare Source

1.11.0 (2024-04-09)

Bugs Fixed

• AzurePowerShellCredential now handles the case where it falls back to legacy PowerShell without relying on the error message string.

Breaking Changes

• DefaultAzureCredential now sends a probe request with no retries for IMDS managed identity environments to avoid excessive retry delays when the IMDS endpoint is not available. This should improve credential chain resolution for local development scenarios. See BREAKING_CHANGES.md.

v1.10.4

Compare Source

1.10.4 (2023-11-13)

Other Changes

• Distributed tracing with ActivitySource is stable and no longer requires the Experimental feature-flag.

v1.10.3

Compare Source

1.10.3 (2023-10-18)

Bugs Fixed

• ManagedIdentityCredential will now correctly retry when the instance metadata endpoint returns a 410 response. #​28568

Other Changes

• Updated Microsoft.Identity.Client dependency to version 4.56.0

v1.10.2

Compare Source

1.10.2 (2023-10-10)

Bugs Fixed

• Bug fixes for development time credentials.

v1.10.1

Compare Source

1.10.1 (2023-09-12)

Bugs Fixed

• ManagedIdentityCredential will fall through to the next credential in the chain in the case that Docker Desktop returns a 403 response when attempting to access the IMDS endpoint. #​38218
• Fixed an issue where interactive credentials would still prompt on the first GetToken request even when the cache is populated and an AuthenticationRecord is provided. #​38431

v1.10.0

Compare Source

1.10.0 (2026-03-16)

Features Added

• Added JsonPatch.EnumerateArray method that iterates over JSON array elements at a specified path, yielding each element as raw UTF-8 bytes.
• Added CollectionResult<T>.FromPages and AsyncCollectionResult<T>.FromPages static factory methods that create collection result instances from pre-existing pages of values for testing.
• Added IsReadOnly property to ClientPipelineOptions and ClientLoggingOptions so callers can check whether options can still be modified without catching an exception.
• Added Clone() method to ClientPipelineOptions and ClientLoggingOptions that creates a new mutable instance from an existing instance that may be read-only.
• Added ConfigurationSchema.json to the NuGet package via the MSBuild JsonSchemaSegment feature, enabling automatic JSON IntelliSense and validation for appsettings.json when configuring System.ClientModel-based clients.
• Updated BCL dependencies to 10.x.

Bugs Fixed

• Fixed implicit conversion operator for ClientResult<T> to not throw exceptions on null inputs per Framework Design Guidelines. Null inputs now return default.

Breaking Changes

• Added nullability annotation to the ClientResult<T> implicit conversion operator parameter to indicate that null is a valid input. This change was made because throwing exceptions from implicit conversions violates the Framework Design Guidelines.

v1.9.0

Compare Source

1.9.0 (2023-05-09)

Breaking Changes

• Changed visibility of all environment variable based properties on EnvironmentCredentialOptions to internal. These options are again only configurable via environment variables.

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.