CVE-2022-39327

Published: Oct 25, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

Azure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.

Vendor	Product	Versions
Azure	azure-cli	affected `< 2.40.0`

Weaknesses (CWE)

CWE-94

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4

https://github.com/Azure/azure-cli/pull/23514

https://github.com/Azure/azure-cli/pull/24015

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-39327

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References