CVE-2024-43469: Azure CycleCloud Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Sep

Released

2024-09-10

EPSS Score

0.53% (percentile: 67.1%)

FAQ

How could an attacker exploit this vulnerability? An attacker with basic user permissions can send specially crafted requests to modify the configuration of an Azure CycleCloud cluster to gain Root level permissions enabling them to execute commands on any Azure CycleCloud cluster in the current instance and in some scenarios, compromise administrator credentials.

Affected Products (17)

Azure

• Azure CycleCloud 8.2.0
• Azure CycleCloud 8.0.0
• Azure CycleCloud 8.6.0
• Azure CycleCloud 8.0.1
• Azure CycleCloud 8.0.2
• Azure CycleCloud 8.1.0
• Azure CycleCloud 8.1.1
• Azure CycleCloud 8.2.2
• Azure CycleCloud 8.2.1
• Azure CycleCloud 8.3.0
• Azure CycleCloud 8.4.0
• Azure CycleCloud 8.4.1
• Azure CycleCloud 8.4.2
• Azure CycleCloud 8.5.0
• Azure CycleCloud 8.6.1
• Azure CycleCloud 8.6.2
• Azure CycleCloud 8.6.3

Security Updates (1)

• Release Notes

Acknowledgments

Anonymous

Revision History

• 2024-09-10: Information published.