Summary
Azure CLI contained a code injection vulnerability that could be exploited in
a scenario where the host runs a command where parameter values have been provided
by an external untrusted source - these could be specially crafted in such a way
as to exploit the vulnerability, leading to remote code execution on the host.
The vulnerability is only applicable when the Azure CLI command is run on a Windows
machine and with any version of PowerShell and when the parameter value contains
the `&` or `|` symbols.
Affected Services
Azure CLI
Remediation
Upgrade to Azure CLI 2.40.0 or greater.
Tracked CVEs
No tracked CVEs
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-39327https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4https://github.com/Azure/azure-cli/pull/23514https://github.com/Azure/azure-cli/pull/24015
Contributed by https://github.com/fooinha
Entry Status
Finalized
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Microsoft
