Closed zpbrent closed 3 years ago
Thanks for reporting @zpbrent Please feel free to open a PR in this repo with your fix.
Also refer to https://aka.ms/bugbounty for our bounty programs for future use.
Thanks for reporting @zpbrent Please feel free to open a PR in this repo with your fix.
Also refer to https://aka.ms/bugbounty for our bounty programs for future use.
Thank you for your response @ramya-rao-a . And also, can you kindly help to reply @huntr-helper - LGTM
in the PR https://github.com/418sec/ms-rest-nodeauth/pull/1 , then the huntr bot can automatically open a new PR to request the merge to your package with the fix , many thanks.
By the way, what is your opinion whether this bug deserves a CVE? If so, can you help to request one for it, many thanks!
Sure, I will refer https://aka.ms/bugbounty for any more bugs in the future.
Related PR: #117
Related PR: #117
Hey @ramya-rao-a , sorry to disturbe you again, since I find the CVE-2021-28458 has not beed added into the CVE list until now at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28458 . For my previous experiences, when a CVE is issued, it will be added into the CVE database no more than two days. So I am confused whether there is something wrong or this CVE will take a longer time than others to be added?
I'm following up on our side, will update when I get some answers.
I'm following up on our side, will update when I get some answers.
@xirzec thanks!
I'm following up on our side, will update when I get some answers.
Hey @xirzec I have just found the release of this CVE at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28458, thank you so much for your efforts.
Also, can you do me another favor to list my name zpbrent (zhou, peng@shu)
at the acknowledgements
part of this advisor at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28458#acknowledgements , so my disclose of this vul can be linked directly. Many thanks for your help and time!
Package Version: 3.0.7
Describe the bug The core function
execAz()
which is purposely used for az command can be injected with arbitrary other OS commands. Also the attackers can exploit this vulnerability by callingAzureCliCredentials.setDefaultSubscription("OS command")
from theAzure CLI
.To Reproduce
Expected behavior The illegal file
HACKED
should not be created in the machine.Screenshots
Additional context I have reported this vul through huntr.dev at https://www.huntr.dev/bounties/1-npm-@azure/ms-rest-nodeauth/ As well as proposed a possible fix with a PR at https://github.com/418sec/ms-rest-nodeauth/pull/1
Please help to confirm whether this is indeed a bug and aslo whether the fix is feasible, thanks!