search

wiz-sec / open-cvdb

An open project to list all publicly known cloud vulnerabilities and CSP security issues
https://cloudvulndb.org
Creative Commons Attribution 4.0 International
305 stars 61 forks source link

[Contribution] Add Synapse spark lpe #282

Closed DinoBytes closed 5 months ago

DinoBytes commented 6 months ago 
title: Microsoft Azure Synapse Analytics - Privilege Escalation via Vegas Caching Service
slug: synapse-spark-lpe-jan2024
cves: null
affectedPlatforms:
- Azure
affectedServices:
- Synapse Analytics
image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/[slug].jpg
severity: Medium
discoveredBy:
  name: Jimi Sebree
  org: Tenable
  domain: https://www.tenable.com/
  twitter: @dinobytes
disclosedAt: 2024/03/07
exploitabilityPeriod: September 2023 - January 2024
knownITWExploitation: false
summary: |
  Tenable Research discovered a privilege escalation flaw that allows a user to escalate privileges to that
  of the root user within the context of a Spark VM. This escalation was achieved because of a permissions issue with scripts utilized by the Vegas Caching service present in the environment.
manualRemediation: |
  None required
detectionMethods: null
contributer: https://github.com/dinobytes
references:
- https://www.tenable.com/security/research/tra-2024-06
korniko98 commented 5 months ago

@DinoBytes since you've already written the yaml entry, would you mind opening a PR for this as well?

DinoBytes commented 5 months ago

Sure thing: https://github.com/wiz-sec/open-cvdb/pull/313