CVE-2022-39327 : Azure CLI is the command-line interface for Microsoft Azure. In versions previou

Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.

Published 2022-10-25 17:15:56

Updated 2023-06-27 17:20:18

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2022-39327

Microsoft » Azure Command-line Interface
Versions before (<) 2.40.0
cpe:2.3:a:microsoft:azure_command-line_interface:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2022-39327

EPSS FAQ

0.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39327

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	2.2	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-39327

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2022-39327

https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4

Improper Control of Generation of Code ('Code Injection') in Azure CLI · Advisory · Azure/azure-cli · GitHub
Exploit;Mitigation;Third Party Advisory
https://github.com/Azure/azure-cli/pull/24015

[Core] Revert #23514: Rename entry script `az.ps1` to `azps.ps1` by jiasli · Pull Request #24015 · Azure/azure-cli · GitHub
Patch;Third Party Advisory
https://github.com/Azure/azure-cli/pull/23514

[Core] Add `az.ps1` entry script for PowerShell by jiasli · Pull Request #23514 · Azure/azure-cli · GitHub
Exploit;Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-39327

Products affected by CVE-2022-39327

Exploit prediction scoring system (EPSS) score for CVE-2022-39327

CVSS scores for CVE-2022-39327

CWE ids for CVE-2022-39327

References for CVE-2022-39327