Microsoft fixes Azure CLI critical vulnerability that exposes credentials in logs
Take action: If you are using Microsoft Azure CLI, make sure to upgrade to version 2.54 on all CI runners and all your developer machines to prevent any accidental logging of credentials to central logs where they can be accessed/read out and compromised.
Microsoft has fixed a significant security issue within the Azure CLI that allowed for potential theft of credentials from logs generated by GitHub Actions or Azure DevOps.
The flaw, tracked as CVE-2023-36052 (CVSS3 8.6), made it possible for attackers to retrieve plain text passwords and usernames from logs produced by specific Azure CLI commands and published through Azure DevOps or GitHub Actions.
Microsoft has emphasized that users must upgrade their Azure CLI to version 2.53.1 or later to safeguard against this security risk, a directive that also applies to those with logs generated via the aforementioned services.
To enhance security, Microsoft recommends maintaining the Azure CLI at the latest version, avoiding the public display of CLI outputs in logs, routinely changing keys and secrets, and following Azure's secret management advice. Other suggested measures include adhering to GitHub's security hardening practices for GitHub Actions, keeping repositories private when not required to be public, and securing Azure Pipelines according to Microsoft's guidelines.
|JumpCloud Security Incident - company Resets customer's API …|
|PTC Codebeamer Application Lifecycle Management severe vulnerability|
|JetBrains TeamCity CI/CD fixes critical vulnerabilites|
|JetBrains TeamCity vulnerability exploited by state sponsored hackers|
|GitLab releases critical security updates, urges patching|