Microsoft Azure Code Injection Vulnerability

Microsoft Azure Code Injection Vulnerability

Azure CLI is the command-line interface for Microsoft Azure.

Azure CLI contains a vulnerability for potential code injection in versions previous to 2.40.0,. Possible critical scenarios which may lead to vulnerability are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is applicable only when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. This vulnerability is not applicablw if any of these prerequisites are not met. (CVE-2022-39327)

Affected Systems

cpe:2.3:a:microsoft:azure_command-line_interface:*:*:*:*:*:*:*:*Up to (excluding) 2.40.0
Running on/with
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

IoC’s

-

Recommended Solution(s)

-

Mitigations

Users should upgrade to version 2.40.0 or greater to receive a mitigation for this vulnerability.

CVE / CWE

CVE-2022-39327

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2022-39327
• https://github.com/Azure/azure-cli/pull/23514
• https://github.com/Azure/azure-cli/pull/24015
• https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.