CVE-2020-16904: Azure Functions Elevation of Privilege Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Oct

Released

2020-10-13

EPSS Score

2.43% (percentile: 85.2%)

Description

An elevation of privilege vulnerability exists in the way Azure Functions validate access keys. An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization. This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.

FAQ

How do I get the Azure Functions update? Re-start your Azure Functions app to get the latest version with the security update.

Affected Products (1)

Other

• 11795

Acknowledgments

James Hardaker

Revision History

• 2020-10-13: Information published.