From msrc.microsoft.com
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. These SSRF vulnerabilities were determined to be low risk as they do not allow access to sensitive information or Azure backend services. Once these SSRF vulnerabilities were reported, Microsoft quickly took the necessary steps to resolve each vulnerability by implementing additional input validation for the vulnerable URLs. Microsoft also conducted a thorough investigation and determined that these SSRF vulnerabilities could not be used to access metadata, connect to internal services, access unauthorized data, or obtain cross tenant access. No customer action is required for the four impacted Azure services.