Microsoft has fixed a critical security vulnerability that could let attackers steal credentials from GitHub Actions or Azure DevOps logs created using Azure CLI (short for Azure command-line interface).
The vulnerability (tracked as CVE-2023-36052) was reported by Palo Alto security researcher Aviad Hahami, who found that successful exploitation enables unauthenticated attackers to remotely access plain text contents written by Azure CLI to Continuous Integration and Continuous Deployment (CI/CD) logs.
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” Microsoft explains.
“Customers using the affected CLI commands must update their Azure CLI version to 2.53.1 or above to be protected against the risks of this vulnerability. This also applies to customers with log files created by using these commands through Azure DevOps and/or GitHub Actions.”
Microsoft says that customers who recently used Azure CLI commands were notified through the Azure Portal. In an MSRC blog post published today, Redmond advised all customers to update to the latest Azure CLI version (2.54).