CVE-2023-35625: Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 4.7)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Dec

Released

2023-12-12

EPSS Score

0.66% (percentile: 71.0%)

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability? The vulnerability enables data leakage only when a user's script is improperly used and triggers specific errors. The conditions required for triggering the error are not easily met making the complexity high. What type of information could be disclosed by this vulnerability? The Azure Machine Learning (ML) training data associated with user accounts will be disclosed. This data primarily consists of information used for ML model training purposes within the Azure ML system.

Affected Products (1)

Azure

• Azure Machine Learning SDK

Security Updates (1)

• Release Notes

Acknowledgments

Fei Deng

Revision History

• 2023-12-12: Information published.