What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker who successfully exploited the vulnerability could elevate privileges to the Administrator role in the vulnerable Azure CycleCloud instance. According to the CVSS metric, privileges required is Low (PR:L). What does that mean for this vulnerability? To exploit this vulnerability an attacker must have an account with the User role assigned. What actions do customers need to take to protect themselves from this vulnerability? Azure CycleCloud versions 7.9.0 - 7.9.11 were retired on 30 September, 2023 as documented here: CycleCloud 7 Retirement Guide. Customers with existing CycleCloud deployments using versions 7.9.0 - 7.9.11 must migrate their resources to CycleCloud version 8.6.2 to be protected by following the instructions here: Upgrading CycleCloud. Customers with existing CycleCloud deployments using versions 8.0.0 - 8.6.0 should update their resources to CycleCloud version 8.6.2 to be protected by following the instructions here: Upgrading CycleCloud.
<a href="https://www.linkedin.com/in/christianbortone/">Christian Bortone</a> with <a href="https://merckgroup.com/">Merck KGaA</a>