medium

ACSESSED

Published Thu, Dec 22nd, 2022
Platforms

Summary

Azure Cognitive Search (ACS) is a full-text search engine service. A new non-default feature allowed for a network control to bypassed, permitting an attacker to submit search queries to any other tenant's network-isolated ACS instance. However, abusing this required a valid API key to access the data plane of the target, along with a number of pieces of information about the target environment (such as the subscription ID and the name of the index to query).

Affected Services

Cognitive Search

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Wed, Feb 23rd, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
7.66
(PI:1.5/A1:20/A2:1/A7:1.1/A8:0.7)
Discovered by
Emilien Socchi, mnemonic