cbcvebase.
CVE-2022-39327
published 2022-10-25

CVE-2022-39327: Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.21%
86.6th percentile
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.

Affected

5 ranges
VendorProductVersion rangeFixed in
azureazure-cli< 2.40.02.40.0
azureazure-cli>= 0 < 2.40.02.40.0
debianazure-cli
microsoftazure_command-line_interface< 2.40.02.40.0
msrcazure_cli

Detection & IOCsextracted from sources · hover to see the quote

  • Flag Azure CLI commands on Windows/PowerShell where parameter values contain the `&` or `|` symbols — these are the characters enabling code injection in vulnerable versions
  • Scope detection to Windows hosts running PowerShell with Azure CLI versions prior to 2.40.0; non-Windows or non-PowerShell environments are not affected
  • Alert on Azure CLI invocations where parameter values are sourced externally (e.g., from scripts, pipelines, or user input) and contain shell metacharacters `&` or `|`
  • ·Vulnerability is NOT applicable if the Azure CLI is not run on Windows, not run under PowerShell, or if parameter values do not contain `&` or `|` — all three prerequisites must be met for exploitation
  • ·Only Azure CLI versions prior to 2.40.0 are vulnerable; version 2.40.0 and above contain the mitigation
  • ·As of advisory publication, the vulnerability has not been publicly exploited in the wild (Exploited: No, Publicly Disclosed: No)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_debian8.1LOW
vendor_msrc8.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.