Headline
CVE-2022-39327: GitHub: CVE-2022-39327 Improper Control of Generation of Code ('Code Injection') in Azure CLI
Why is this GitHub CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Azure cli, which is published on GitHub and for which GitHub is the CVE Naming Authority (CNA). It is being documented in the Security Update Guide to inform customers using the azure-cli that they need to apply the updated version. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.
CVE-ID
Learn more at National Vulnerability Database (NVD)
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
- CONFIRM:https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
- URL:https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
- MISC:https://github.com/Azure/azure-cli/pull/23514
- URL:https://github.com/Azure/azure-cli/pull/23514
- MISC:https://github.com/Azure/azure-cli/pull/24015
- URL:https://github.com/Azure/azure-cli/pull/24015
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20220902
Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220902)
Votes (Legacy)
Comments (Legacy)
Proposed (Legacy)
N/A
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords:
You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select “Other” from dropdown)