search

wiz-sec / open-cvdb

An open project to list all publicly known cloud vulnerabilities and CSP security issues
https://cloudvulndb.org
Creative Commons Attribution 4.0 International
306 stars 61 forks source link

Azure cli - Command Injection - CVE-2022-39327 - CVSS 9.8 (critical) #107

Closed fooinha closed 8 months ago

fooinha commented 1 year ago

Could this be a candidate entry to this database?

This vulnerability is in the azure cli, but this command can, eventually be used in hosted machines.

Advisory contains ...

Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source.

For instance, az keyvault secret command line could be used by software releases build pipelines and powershell scripts.

This vulnerability would require the customer to update Azure cli to version >= 2.40.0

korniko98 commented 1 year ago

Yes, this is in scope - would you like to create a pull request with the details? (you can use this format)