Tracked as CVE-2023-36052 (CVSS score of 8.6) and addressed with the release of Azure CLI 2.54 as part of the November 2023 Patch Tuesday, the bug existed because certain Azure CLI functions would inadvertently expose secrets through CI/CD logs.
"An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions," Microsoft notes in its advisory.
In guidance on addressing CVE-2023-36052, Microsoft explains that changes were made to several Azure CLI commands and that additional changes will be made to harden Azure CLI against secrets exposure.
[
add
]
[
|
|
...
]