Lucene search

HistoryNov 14, 2023 - 12:00 a.m.

Security Updates for Azure CLI (November 2023)

2023-11-1400:00:00

www.tenable.com

azure

cli

security updates

information disclosure

vulnerability

november 2023

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.7%

JSON

The Azure CLI is missing security updates. It is, therefore, affected by an Information Disclosure vulnerability.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(185592);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/21");

  script_cve_id("CVE-2023-36052");

  script_name(english:"Security Updates for Azure CLI (November 2023)");

  script_set_attribute(attribute:"synopsis", value:
"The Azure CLI is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Azure CLI is missing security updates. It is, therefore, affected by 
an Information Disclosure vulnerability.

Note that Nessus has not tested for these issues but has instead relied only on the application's 
self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli");
  script_set_attribute(attribute:"solution", value:
"Update the Azure CLI to version 2.54.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-36052");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/11/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:dynamics_365");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_azure_cli_installed_win.nbin");
  script_require_keys("installed_sw/Microsoft Azure CLI");
  script_require_ports(139, 445);

  exit(0);
}

include('vcf.inc');

var app = 'Microsoft Azure CLI';
var app_info = vcf::get_app_info(app:app, win_local:TRUE);

var constraints = [
  { 'min_version' : '2.0', 'fixed_version' : '2.54.0'},
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

VendorProductVersionCPE
microsoftdynamics_365cpe:/a:microsoft:dynamics_365

Vendor	Product	Version	CPE
microsoft	dynamics_365		cpe:/a:microsoft:dynamics_365

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36052

learn.microsoft.com/en-us/cli/azure/release-notes-azure-cli

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.7%

JSON

Related for SMB_NT_MS23_NOV_AZURE_CLI.NASL