Bmc-Msft

**Name of the Vulnerable Software and Affected Versions** OneFuzz versions 2.12.0 through 2.30.0 **Description** The issue is related to an incomplete authorization check in OneFuzz, allowing an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. This can result in read/write access to private data, such as software vulnerability and crash information, security testing tools, and proprietary code and symbols. Additionally, it enables tampering with existing data and unauthorized code execution on Azure compute resources. **Recommendations** For OneFuzz versions 2.12.0 through 2.30.0, users can restrict access to the tenant of a deployed OneFuzz instance by redeploying in the default configuration, which omits the `--multi tenant domain` option. For OneFuzz versions prior to 2.31.0, update to version 2.31.0 or later, which includes the addition of an application-level check of the bearer token's `issuer` against an administrator-configured allowlist.