CVE-2024-38195: Azure CycleCloud Remote Code Execution Vulnerability
Overview
- Severity
- High (CVSS 7.8)
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2024-Aug
- Released
- 2024-08-13
- EPSS Score
- 0.49% (percentile: 65.5%)
FAQ
How could an attacker exploit this vulnerability?
An authenticated attacker with permissions to execute commands on the Azure CycleCloud instance could send a specially crafted request that returns the storage account credentials and runtime data. The attacker can then use the comprised credentials to access the underlying storage resources and upload malicious scripts which will be executed as Root, enabling remote code execution to be performed on any cluster in the CycleCloud instance.
Affected Products (16)
Azure
- Azure CycleCloud 8.2.0
- Azure CycleCloud 8.0.0
- Azure CycleCloud 8.6.0
- Azure CycleCloud 8.0.1
- Azure CycleCloud 8.0.2
- Azure CycleCloud 8.1.0
- Azure CycleCloud 8.1.1
- Azure CycleCloud 8.2.2
- Azure CycleCloud 8.2.1
- Azure CycleCloud 8.3.0
- Azure CycleCloud 8.4.0
- Azure CycleCloud 8.4.1
- Azure CycleCloud 8.4.2
- Azure CycleCloud 8.5.0
- Azure CycleCloud 8.6.2
- Azure CycleCloud 8.6.1
Security Updates (1)
Acknowledgments
Anonymous
Revision History
- 2024-08-13: Information published.