low

Azure AD information disclosure via undocumented APIs

Published Tue, Apr 5th, 2022

Platforms

Summary

Undocumented Azure AD APIs could allow access to internal information of any organization that uses Azure AD. Collected details included licensing information, mailbox information, and directory synchronization status.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://www.secureworks.com/research/azure-active-directory-exposes-internal-information

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Tue, Apr 5th, 2022

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Secureworks

More vulnerabilities...

medium

GKE Sandbox side channel attack

There was a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, in GKE Sandbox images, causing nodes to be potentially exposed to side channel attacks such as M...

Tue, Mar 22nd, 2022

low

AWS RDS does not enforce SSL/TLS encryption

The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely. Additionally, for the more commonly used MySQL and MariaDB RDS engine types, ...

Riyaz Walikar, Kloudle

Thu, Mar 10th, 2022

medium

Logic Apps privilege escalation to root

Azure Logic Apps use API Connections to authenticate actions to services. Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow someone to create arbitrary role as...

Josh Magri, NetSPI

Wed, Mar 9th, 2022

View all