cbcvebase.
CVE-2020-16904
published 2020-10-16

CVE-2020-16904: An elevation of privilege vulnerability exists in the way Azure Functions validate access keys. An unauthenticated attacker who successfully exploited this…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.12%
86.2th percentile
An elevation of privilege vulnerability exists in the way Azure Functions validate access keys. An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization. This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftazure_functions
msrcazure_functions

Detection & IOCsextracted from sources · hover to see the quote

  • ·No patch is deployed automatically; the Azure Functions app must be manually restarted to receive the security update that correctly validates access keys for HTTP Functions.
  • ·The vulnerability allows unauthenticated invocation of HTTP-triggered Azure Functions by bypassing access key validation — monitor HTTP Function invocations that lack valid access keys as a detection signal.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.