CVE-2019-1372 — Microsoft Azure APP Service ON Azure Stack vulnerability

4 documents4 sources

Severity

10.0CRITICALNVD

EPSS

3.3%

top 12.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Azure APP Service ON Azure Stack

Timeline

PublishedOct 10

Latest updateMay 24

Description

An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it.An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.The security update addresses the vulnerability by ensuring that Azure App Service sanitizes user inputs., aka 'Azure App Service Remote Code Exe…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

▶NVDmicrosoft/azure_app_service_on_azure_stack< 1.7

▶CVEListV5microsoft/azure_app_service_on_azure_stackunspecified

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-649f-8c3w-9g8g: An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying me↗2022-05-24

▶

CVEList

CVE-2019-1372: An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying me↗2019-10-10

▶

📋Vendor Advisories

Microsoft

Azure Stack Remote Code Execution Vulnerability↗2019-10-08

▶