CVE-2020-16904
published 2020-10-16CVE-2020-16904: An elevation of privilege vulnerability exists in the way Azure Functions validate access keys. An unauthenticated attacker who successfully exploited this…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.12%
86.2th percentile
An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.
An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.
This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | azure_functions | — | — |
| msrc | azure_functions | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·No patch is deployed automatically; the Azure Functions app must be manually restarted to receive the security update that correctly validates access keys for HTTP Functions. ↗
- ·The vulnerability allows unauthenticated invocation of HTTP-triggered Azure Functions by bypassing access key validation — monitor HTTP Function invocations that lack valid access keys as a detection signal. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Azure Functions Elevation of Privilege Vulnerability
vendor_msrc·2020-10-13·CVSS 5.3
CVE-2020-16904 [MEDIUM] Azure Functions Elevation of Privilege Vulnerability
Azure Functions Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.
An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.
This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.
FAQ: How do I get the Azure Functions update?
Re-start your Azure Functions app to get the latest version with the security update.
Azure: Azure
Issuing CNA: Microsoft
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
GHSA
GHSA-v3gf-q256-843h: An elevation of privilege vulnerability exists in the way Azure Functions validate access keys
ghsa_unreviewed·2022-05-24
CVE-2020-16904 [CRITICAL] CWE-269 GHSA-v3gf-q256-843h: An elevation of privilege vulnerability exists in the way Azure Functions validate access keys
An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions., aka 'Azure Functions Elevation of Privilege Vulnerability'.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-10-16
Published