CVE-2024-29993: Azure CycleCloud Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Apr

Released

2024-04-09

EPSS Score

3.69% (percentile: 87.9%)

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker who successfully exploited this vulnerability could elevate privileges to the SuperUser role in the affected Azure CycleCloud instance. According to the CVSS metric, privileges required is Low (PR:L). What does that mean for this vulnerability? To exploit this vulnerability an attacker must have an account with the User role assigned.

Affected Products (1)

Azure

• Azure CycleCloud 8.6.0

Security Updates (1)

• Release Notes

Acknowledgments

Anonymous

Revision History

• 2024-04-09: Information published.