Summary
Legit Security found a zero-click vulnerability in Azure Pipelines that allows
an attacker to access secrets and internal information and perform actions in
elevated permissions in the context of a pipeline workflow. This could allow
attackers to move laterally in the organization and initiate supply chain attacks.
When a pipeline is triggered by a "pipeline resource trigger," it shows in the
platform as "Automatically Triggered For …" Instead of running in fork default
permissions, preventing any access to secrets and sensitive actions, Azure Pipelines
"confuses" the trigger for an internal build allowing access sensitive build secrets.
Exploitability depends on a public GitHub repository that runs Azure pipelines on pull-request,
with default Azure pipeline fork configurations to trigger pipeline run, and Pipeline-Triggers.
Affected Services
Azure DevOps Services, Azure Pipelines
Remediation
None required if you are using Azure DevOps cloud services.
Otherwise, make sure you're running a patched build.
Tracked CVEs
CVE-2023-36561
References
Contributed by https://github.com/ramimac
Entry Status
Finalized
Disclosure Date
Tue, May 23rd, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Nadav Noy, Legit Security
