Microsoft fixes critical Azure CLI flaw that leaked credentials in logs

14-Nov-23

Microsoft has patched a serious security flaw that might allow hackers to obtain login information from Azure DevOps or GitHub Actions logs generated using the Azure CLI (short for Azure command-line interface).


Palo Alto security researcher Aviad Hahami discovered the vulnerability (tracked as CVE-2023-36052), and upon successful exploitation, it allows unauthenticated attackers to remotely access plain text contents written to Continuous Integration and Continuous Deployment (CI/CD) logs by the Azure CLI. If this vulnerability was successfully exploited, an attacker might get usernames and plaintext passwords from log files produced by the impacted CLI commands and made available by GitHub Actions and/or Azure DevOps.


Read More…