Open tyson-trust opened 4 months ago
Thanks for the submission! Maybe we should add that there is no long term fix at the moment, because MSFT doesn't consider this design error as a security vulnerability.
@tyson-trust could you add a PR with this information? also - i'm having trouble understanding the impact of this issue and how likely it is to exploit - i think it would be useful to add a POC to the original blogpost.
title: Azure OpenAI Control Plane Bypass for Deployment resource slug: azure-openai-controlplanebypass-deployments cves: null affectedPlatforms:
manualRemediation: | Do not use the Azure AI Developer built-in role and ensure any roles used for Microsoft.CognitiveServices namespace add the below operations to the NotDataActions section of any applicable Role Definitions.
Microsoft.CognitiveServices/accounts/OpenAI/deployments/read Microsoft.CognitiveServices/accounts/OpenAI/deployments/write Microsoft.CognitiveServices/accounts/OpenAI/deployments/delete
detectionMethods: null contributor: https://github.com/tyson-trust references: