low

Azure AD information disclosure via undocumented APIs

Published Tue, Apr 5th, 2022

Platforms

azure

Summary

Undocumented Azure AD APIs could allow access to internal information of any organization that uses Azure AD. Collected details included licensing information, mailbox information, and directory synchronization status.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://www.secureworks.com/research/azure-active-directory-exposes-internal-information

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Tue, Apr 5th, 2022

Exploitability Period

-

Known ITW Exploitation

No

Detection Methods

None

Piercing Index Rating

-

Discovered by

Secureworks

More vulnerabilities...

medium

GKE Sandbox side channel attack

gcp

There was a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, in GKE Sandbox images, causing nodes to be potentially exposed to side channel attacks such as M...

low

AWS RDS does not enforce SSL/TLS encryption

aws

The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely. Additionally, for the more commonly used MySQL and MariaDB RDS engine types, ...

Riyaz Walikar, Kloudle
medium

Logic Apps privilege escalation to root

azure

Azure Logic Apps use API Connections to authenticate actions to services. Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow someone to create arbitrary role as...

Josh Magri, NetSPI
View all