critical

Synlapse

Published Mon, May 9th, 2022
Platforms

Summary

Azure Synapse Analytics and Azure Data Factory were vulnerable to cross-tenant access and code execution. This was made possible via a combination of (1) a shell injection RCE vulnerability in the integration runtime, (2) credentials for multiple customers stored on a shared host and (3) an insecure management server API.

Affected Services

Synapse Analytics, Data Factory

Remediation

None required

Tracked CVEs

CVE-2022-29972

References

Entry Status
Finalized
Disclosure Date
Tue, Jan 4th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
8.63
(PI:1.5/A1:22/A2:1/A7:1.1/A8:0.9)
Discovered by
Tzah Pahima, Orca Security