critical

Synlapse

Published Mon, May 9th, 2022
Platforms

Summary

Azure Synapse Analytics and Azure Data Factory were vulnerable to cross-tenant access and code execution. This was made possible via a combination of (1) a shell injection RCE vulnerability in the integration runtime, (2) credentials for multiple customers stored on a shared host and (3) an insecure management server API.

Affected Services

Synapse Analytics, Data Factory

Remediation

None required

Tracked CVEs

CVE-2022-29972

References

Disclosure Date
Tue, Jan 4th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Tzah Pahima, Orca Security