CVE-2022-26907: Azure SDK for .NET Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.3)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Apr

Released

2022-04-12

EPSS Score

0.94% (percentile: 76.2%)

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could disclose sensitive information in exception body, which might include user access tokens. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to have access to the location where the application that is using the SDK is storing the exception (for example, event logs).

Affected Products (1)

Azure

• Azure SDK for .Net

Security Updates (1)

• Release Notes

Revision History

• 2022-04-12: Information published.