Microsoft fixes Azure CLI critical vulnerability that exposes credentials in logs

published: Nov. 14, 2023

Take action: If you are using Microsoft Azure CLI, make sure to upgrade to version 2.54 on all CI runners and all your developer machines to prevent any accidental logging of credentials to central logs where they can be accessed/read out and compromised.


Learn More

Microsoft has fixed a significant security issue within the Azure CLI that allowed for potential theft of credentials from logs generated by GitHub Actions or Azure DevOps.

The flaw, tracked as CVE-2023-36052  (CVSS3 8.6), made it possible for attackers to retrieve plain text passwords and usernames from logs produced by specific Azure CLI commands and published through Azure DevOps or GitHub Actions.

Microsoft has emphasized that users must upgrade their Azure CLI to version 2.53.1 or later to safeguard against this security risk, a directive that also applies to those with logs generated via the aforementioned services.

To enhance security, Microsoft recommends maintaining the Azure CLI at the latest version, avoiding the public display of CLI outputs in logs, routinely changing keys and secrets, and following Azure's secret management advice. Other suggested measures include adhering to GitHub's security hardening practices for GitHub Actions, keeping repositories private when not required to be public, and securing Azure Pipelines according to Microsoft's guidelines.

Microsoft fixes Azure CLI critical vulnerability that exposes credentials in logs