CVE-2022-39327

Name of the Vulnerable Software and Affected Versions Azure CLI versions prior to 2.40.0

Description The vulnerability is related to the Azure CLI's command-line interface for Microsoft Azure, which contains a potential code injection issue in versions prior to 2.40.0. This vulnerability can be exploited when a hosting machine runs an Azure CLI command with parameter values provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell, and when the parameter value contains the & or | symbols. Critical scenarios include hosting machines running Azure CLI commands with external input, such as web applications creating secrets in Azure KeyVault. For example, an attacker could inject system commands or scripts by providing a parameter value containing the & or | symbols.

Recommendations To resolve the issue, upgrade to Azure CLI version 2.40.0 or greater. Alternatively, for versions 2.41.0 and later, manually call the azps.ps1 entry script in identified critical scenarios, such as running the command C:Program Files (x86)Microsoft SDKsAzureCLI2wbinazps.ps1 keyvault secret set --vault-name SomeVault --name foobar --value "abc123|whoami". Note that using the azps.ps1 entry script may introduce regressions and issues in Azure CLI's behavior, and users should verify command effectiveness before use in production environments.