| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6. |
| Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. |
| Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network. |
| Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network. |
| Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network. |
| Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |
| Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. |
| Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. |
| External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |
| Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network. |
| Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network. |
| Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. |
| Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network. |
| Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. |
| Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. |
| Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. |
| Improper authentication in Azure SRE Agent allows an unauthorized attacker to disclose information over a network. |
| Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. |