high

Code Execution in Azure API Management Developer Portal

Published Wed, Dec 11th, 2024
Platforms

Summary

A vulnerability in Azure API Management Developer Portal allows arbitrary code execution and secret exfiltration. The issue stems from a workflow that loads untrusted data from opened issues, potentially allowing attackers to inject malicious commands. This could lead to code execution in the runner, granting access to sensitive tokens and permissions.

Affected Services

API Management Developer Portal

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Tue, Oct 22nd, 2024
Exploitablity Period
Until 2024/11/04
Known ITW Exploitation
-
Detection Methods
Monitor for suspicious activity in GitHub Actions workflows, especially those handling user-supplied data. Review and audit workflows for potential code injection vulnerabilities.
Piercing Index Rating
-
Discovered by
Alvaro Munoz, GitHub Security Lab

More vulnerabilities...

high

ModeLeak: LLM Model Exfiltration Vulnerability in Vertex AI

A vulnerability in GCP's Vertex AI service allows privilege escalation and unauthorized access to sensitive LLM models. Attackers can exfiltrate these models by exploiting misconfigurations in acce...

...
Ofir Balassiano, Ofir Shaty...

high

Sketchy Cheat Sheet

Multiple vulnerabilities were discovered in Google's Cloud Architecture Diagramming Tool, including XSS, unauthorized access to user data, and misconfigured storage buckets. The issues allowed acce...

...
Jakub Domeracki, Egnyte

high

Issue with data.all Framework Multiple CVEs

Multiple security vulnerabilities were identified in data.all, an open source development framework for building data marketplaces on AWS. The issues affect versions 1.0.0 through 2.6.0 and include...

...
Amazon Web Services

View all