According to the CVSS metric, the attack complexity is high (AC:H) and user interaction is required (UI:R). What does that mean for this vulnerability? An attacker would need to trick the user to transfer a malicious JSON file and hope that user does not open and review it. If the user opens it, the user will see an invalid URL and not import it for his dashboard. But in a scenario where the user does import the malicious JSON file, the portal will not immediately send a token. Only in a corner case that a user configures the dashboard again from the portal will there be a token leak. How could an attacker exploit this vulnerability? An elevation of privilege vulnerability exists when the data widget of the Azure Stack Hub dashboard feature does not properly sanitize the connection URL. An unauthenticated attacker could exploit this vulnerability by sending crafted malicious URL to the user. This can be used to exfiltrate the authentication token of a user by sharing a dashboard publicly and then sending the link of the dashboard to the user. If that user clicks on the data widget, the token will leak and can be used by the attacker. The security update addresses vulnerability by helping to ensure that Azure Stack Hub dashboard properly sanitizes connection URLs.
Felix Boulet with <a href="https://www.cyber.gouv.qc.ca/">Centre gouvernemental de cyberdéfense (CGCD)</a>