CVE-2024-29063: Azure AI Search Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Apr

Released

2024-04-09

EPSS Score

1.22% (percentile: 79.1%)

FAQ

What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could obtain sensitive API Keys. What actions do customers need to take to protect themselves from this vulnerability? The vulnerability has been mitigated by a recent update to Azure AI Search's backend infrastructure. Customers who are required to rotate specific credentials have been notified through Azure Service Health Alerts under TrackingID: WL1G-3TZ. See here for information on how to view Azure Service Health Alerts in the Azure Portal. Customers who did not receive this Azure Service Health Alert do not need to take any action to be protected against this vulnerability.

Affected Products (1)

Azure

• Azure AI Search

Security Updates (1)

• Release Notes

Acknowledgments

Anonymous

Revision History

• 2024-04-09: Information published.