CVE-2022-39327: Improper Control of Generation of Code ('Code Injection') in Azure CLI
(updated )
In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source.
For example: Application X is a web application with a feature that allows users to create Secrets in an Azure KeyVault. Instead of constructing API calls based on user input, Application X uses Azure CLI commands to create the secrets. Application X has input fields presented to the user and the Azure CLI command parameter values are filled based on the user input fields. This input, when formed correctly, could potentially be run as system commands. Below is an example of the resulting Azure CLI command run on the web app’s hosting machine.
az keyvault secret set --vault-name SomeVault --name foobar --value "abc123|whoami"
The above command could potentially run the whoami command on the hosting machine.
Interactive, in-terminal use and automation/pipeline scenarios have not been identified as critical risk scenarios.
References
- github.com/Azure/azure-cli
- github.com/Azure/azure-cli/pull/23514
- github.com/Azure/azure-cli/pull/24015
- github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
- github.com/advisories/GHSA-47xc-9rr2-q7p4
- github.com/pypa/advisory-database/tree/main/vulns/azure-cli/PYSEC-2022-43177.yaml
- nvd.nist.gov/vuln/detail/CVE-2022-39327
Code Behaviors & Features
Detect and mitigate CVE-2022-39327 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →