CVE-2022-39327

Improper Control of Generation of Code ('Code Injection') in Azure CLI

CVSS 8.1 HIGHEPSS 3.2%CWE-94

In short

Azure CLI on Windows allows attackers to inject and execute arbitrary code through command parameters containing special characters like & or |. This happens when external sources provide parameter values to Azure CLI commands, potentially compromising the entire system.

Technical detail

Code injection vulnerability in Azure CLI versions before 2.40.0 on Windows systems; attack vector requires unsanitized parameter input containing & or | symbols passed to CLI commands, typically from external sources. Exploitation occurs during command parsing in PowerShell context, allowing arbitrary code execution with privileges of the CLI process.

Summary generated and translated by AI from the official description.

Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Azure · azure-cli

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Azure/azure-cli/pull/23514 https://github.com/Azure/azure-cli/pull/24015 https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4