CVSS: 6.1EPSS: 4%CPEs: 1EXPL: 2CVE-2023-23408 – Azure Apache Ambari Spoofing Vulnerability
https://notcve.org/view.php?id=CVE-2023-23408
14 Mar 2023 — Azure Apache Ambari Spoofing Vulnerability Azure Apache Ambari Spoofing Vulnerability Azure Apache Ambari version 2302250400 suffers from a spoofing vulnerability. • https://packetstorm.news/files/id/173134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-23383 – Service Fabric Explorer Spoofing Vulnerability
https://notcve.org/view.php?id=CVE-2023-23383
14 Mar 2023 — Service Fabric Explorer Spoofing Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23383 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23939 – Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower
https://notcve.org/view.php?id=CVE-2023-23939
06 Mar 2023 — Azure/setup-kubectl is a GitHub Action for installing Kubectl. This vulnerability only impacts versions before version 3. An insecure temporary creation of a file allows other actors on the Actions runner to replace the Kubectl binary created by this action because it is world writable. This Kubectl tool installer runs `fs.chmodSync(kubectlPath, 777)` to set permissions on the Kubectl binary, however, this allows any local user to replace the Kubectl binary. This allows privilege escalation to the user that... • https://github.com/Azure/setup-kubectl/commit/d449d75495d2b9d1463555bb00ca3dca77a42ab6 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-21553 – Azure DevOps Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-21553
14 Feb 2023 — Azure DevOps Server Remote Code Execution Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21553 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-21564 – Azure DevOps Server Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2023-21564
14 Feb 2023 — Azure DevOps Server Cross-Site Scripting Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21564 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 1%CPEs: 2EXPL: 0CVE-2023-21703 – Azure Data Box Gateway Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-21703
14 Feb 2023 — Azure Data Box Gateway Remote Code Execution Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21703 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-23382 – Azure Machine Learning Compute Instance Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-23382
14 Feb 2023 — Azure Machine Learning Compute Instance Information Disclosure Vulnerability This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of credentials within Azure Machine Learning Service workbooks. The issue results from storing sensitive information in plaintext. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromis... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23382 • CWE-257: Storing Passwords in a Recoverable Format •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-21777 – Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2023-21777
14 Feb 2023 — Azure App Service on Azure Stack Hub Elevation of Privilege Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21777 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-21531 – Azure Service Fabric Container Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2023-21531
10 Jan 2023 — Azure Service Fabric Container Elevation of Privilege Vulnerability Vulnerabilidad de elevación de privilegios en el contenedor de Azure Service Fabric This vulnerability allows local attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code within a container on the target system in order to exploit this vulnerability. The specific flaw exists within the WAagent daemon. The issue results from insufficient verification of the or... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21531 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23551 – AAD Pod Identity obtaining token with backslash
https://notcve.org/view.php?id=CVE-2022-23551
21 Dec 2022 — aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: `/metadata/identity\oauth2\token/`) would bypass the NMI validation and be sent to IMDS allowing a pod in the cluster to access identities that it shouldn't have access to. This issue has been fixed and has... • https://github.com/Azure/aad-pod-identity/commit/7e01970391bde6c360d077066ca17d059204cb5d • CWE-863: Incorrect Authorization CWE-1259: Improper Restriction of Security Token Assignment •