Information disclosure in Microsoft products - CVE-2023-36052
Published: November 14, 2023
Vulnerability identifier: #VU83107
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-36052
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
az webapp config appsettings set
az webapp config appsettings delete
az staticwebapp appsettings set
az staticwebapp appsettings delete
az logicapp config appsettings set
az logicapp config appsettings delete
az functionapp config appsettings set
az functionapp config appsettings delete
az webapp config appsettings set
az webapp config appsettings delete
az staticwebapp appsettings set
az staticwebapp appsettings delete
az logicapp config appsettings set
az logicapp config appsettings delete
az functionapp config appsettings set
az functionapp config appsettings delete
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application in Azure CLI REST Command. A remote attacker can gain unauthorized access to sensitive information on the system.
How to mitigate CVE-2023-36052
Install updates from vendor's website.