CVE-2022-39327
published 2022-10-25CVE-2022-39327: Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.21%
86.6th percentile
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| azure | azure-cli | < 2.40.0 | 2.40.0 |
| azure | azure-cli | >= 0 < 2.40.0 | 2.40.0 |
| debian | azure-cli | — | — |
| microsoft | azure_command-line_interface | < 2.40.0 | 2.40.0 |
| msrc | azure_cli | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag Azure CLI commands on Windows/PowerShell where parameter values contain the `&` or `|` symbols — these are the characters enabling code injection in vulnerable versions ↗
- →Scope detection to Windows hosts running PowerShell with Azure CLI versions prior to 2.40.0; non-Windows or non-PowerShell environments are not affected ↗
- →Alert on Azure CLI invocations where parameter values are sourced externally (e.g., from scripts, pipelines, or user input) and contain shell metacharacters `&` or `|` ↗
- ·Vulnerability is NOT applicable if the Azure CLI is not run on Windows, not run under PowerShell, or if parameter values do not contain `&` or `|` — all three prerequisites must be met for exploitation ↗
- ·Only Azure CLI versions prior to 2.40.0 are vulnerable; version 2.40.0 and above contain the mitigation ↗
- ·As of advisory publication, the vulnerability has not been publicly exploited in the wild (Exploited: No, Publicly Disclosed: No) ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_debian8.1LOW
vendor_msrc8.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
GitHub: CVE-2022-39327 Improper Control of Generation of Code ('Code Injection') in Azure CLI
vendor_msrc·2022-11-08·CVSS 8.1
CVE-2022-39327 [HIGH] GitHub: CVE-2022-39327 Improper Control of Generation of Code ('Code Injection') in Azure CLI
GitHub: CVE-2022-39327 Improper Control of Generation of Code ('Code Injection') in Azure CLI
FAQ: Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Azure cli, which is published on GitHub and for which GitHub is the CVE Naming Authority (CNA). It is being documented in the Security Update Guide to inform customers using the azure-cli that they need to apply the updated version. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
Azure: Azure
GitHub, Inc.: GitHub, Inc.
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Debian
CVE-2022-39327: azure-cli - Azure CLI is the command-line interface for Microsoft Azure. In versions previou...
vendor_debian·2022·CVSS 8.1
CVE-2022-39327 [HIGH] CVE-2022-39327: azure-cli - Azure CLI is the command-line interface for Microsoft Azure. In versions previou...
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Improper Control of Generation of Code ('Code Injection') in Azure CLI
osv·2022-10-25
CVE-2022-39327 [HIGH] Improper Control of Generation of Code ('Code Injection') in Azure CLI
Improper Control of Generation of Code ('Code Injection') in Azure CLI
# Description
In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source.
For example: Application X is a web application with a feature that allows users to create Secrets in an Azure KeyVault. Instead of constructing API calls based on user input, Application X uses Azure CLI commands to create the secrets. Application X has input fields presented to the user and the Azure CLI command parameter values are filled based on the user input fields. This input, when formed correctly, could potentially be run as system commands. Below is an example o
GHSA
Improper Control of Generation of Code ('Code Injection') in Azure CLI
ghsa·2022-10-25
CVE-2022-39327 [HIGH] CWE-78 Improper Control of Generation of Code ('Code Injection') in Azure CLI
Improper Control of Generation of Code ('Code Injection') in Azure CLI
# Description
In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source.
For example: Application X is a web application with a feature that allows users to create Secrets in an Azure KeyVault. Instead of constructing API calls based on user input, Application X uses Azure CLI commands to create the secrets. Application X has input fields presented to the user and the Azure CLI command parameter values are filled based on the user input fields. This input, when formed correctly, could potentially be run as system commands. Below is an example o
OSV
CVE-2022-39327: Azure CLI is the command-line interface for Microsoft Azure
osv·2022-10-25
CVE-2022-39327 CVE-2022-39327: Azure CLI is the command-line interface for Microsoft Azure
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/Azure/azure-cli/pull/23514https://github.com/Azure/azure-cli/pull/24015https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4https://github.com/Azure/azure-cli/pull/23514https://github.com/Azure/azure-cli/pull/24015https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
2022-10-25
Published