CVE-2022-39327
Description
Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2022-39327 NameCVE-2022-39327 DescriptionAzure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLIβ¦
Workaround
for the vulnerability. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus azure-cli (PTS)bullseye2.18.0-2fixed bookworm2.45.0-1fixed trixie2.74.0-1fixed forky2.86.0-1fixed sid2.87.0-1fixed The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs azure-clisource(unstable)(not affected) Notes - azure-cli <not-affected> (Windows-specific vulnerabilities) https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4 https://github.com/Azure/azure-cli/pull/23514 https://github.com/Azure/azure-cli/pull/24015
CVE-2022-39327
| Name | CVE-2022-39327 |
| Description | Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| azure-cli (PTS) | bullseye | 2.18.0-2 | fixed |
| bookworm | 2.45.0-1 | fixed | |
| trixie | 2.74.0-1 | fixed | |
| forky | 2.86.0-1 | fixed | |
| sid | 2.87.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| azure-cli | source | (unstable) | (not affected) |
Notes
- azure-cli <not-affected> (Windows-specific vulnerabilities)
https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
https://github.com/Azure/azure-cli/pull/23514
https://github.com/Azure/azure-cli/pull/24015
Apply commands
- azure-cli <not-affected> (Windows-specific vulnerabilities)https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4https://github.com/Azure/azure-cli/pull/23514https://github.com/Azure/azure-cli/pull/24015OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | azure-cli | <2.40.0 | 2.40.0 |
References
- https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
- https://nvd.nist.gov/vuln/detail/CVE-2022-39327
- https://github.com/Azure/azure-cli/pull/23514
- https://github.com/Azure/azure-cli/pull/24015
- https://github.com/Azure/azure-cli
- https://github.com/pypa/advisory-database/tree/main/vulns/azure-cli/PYSEC-2022-43177.yaml
- https://security-tracker.debian.org/tracker/CVE-2022-39327
- https://www.suse.com/security/cve/CVE-2022-39327.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.