Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. How could an attacker exploit the vulnerability? An attacker could create a forged authentication token and use it to access administrative function APIs. This may allow them to retrieve keys, access the file system, and deploy unauthorized code within the Logic Apps environment. How do customers mitigate this vulnerability? Customers are protected through service-side (control plane) updates, which are automatically applied—there is no download, build number, or manual update required to receive the fix. The only exception is for existing Logic Apps that were created when WEBSITE_AUTH_ENCRYPTION_KEY was configured as an environment variable. For those existing apps, customers must make a small update (edit any environment variable) to trigger the change and fully mitigate the issue. New or updated Logic Apps already use a secret reference for the auth key and are automatically mitigated without any customer action.
Nick Wojciechowski