225 – Business information leak - Azure

Description

A series of flaws in Azures service feature created a loophole. This vulnerability could allow users to access other customers information in the platform.

Impact

- Lead to compromise the Kubernetes clusters, thus providing attackers with full control over other Azure customers' containers. - The vulnerability could have allowed users to access other customers information in the service. - Allow any user to download, delete or manipulate a massive collection of commercial databases.

Recommendation

- Change users login credentials. - Rotate privileged credentials on a frequent basis.

Threat

External attacker with access and permissions over the database and service architecture.

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects
• 177 - Avoid caching and temporary files
• 261 - Avoid exposing sensitive information
• 300 - Mask sensitive data

Fixes

• Azure

Last updated

2024/02/16