Microsoft has addressed a critical security vulnerability (CVE-2023-36052) in Azure CLI that could allow attackers to pilfer credentials from logs generated by Azure CLI commands in GitHub Actions or Azure DevOps.
Discovered by Palo Alto researcher Aviad Hahami, the flaw could be exploited by unauthenticated attackers to remotely access plaintext information in CI/CD logs.
Successful exploitation could lead to the recovery of usernames and passwords from log files created by the affected CLI commands in Azure DevOps and GitHub Actions.
Microsoft recommends updating Azure CLI to version 2.53.1 or higher to mitigate the risks associated with this vulnerability.
Users are advised to avoid exposing Azure CLI output in logs or publicly accessible locations and to rotate keys and secrets regularly.
Microsoft has also implemented a new Azure CLI default configuration to enhance security measures, restricting the presentation of secrets in the output generated by update commands for services within the App Service family.
Additionally, the company has expanded credential redaction capabilities in GitHub Actions and Azure Pipelines to detect more key patterns within build logs and obfuscate them, preventing inadvertent leakage of Microsoft-issued keys in publicly accessible logs.