CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-43602

CVSS 9.9v3.1pub. 2024-11-12upd. 2024-11-19

Azure CycleCloud Remote Code Execution Vulnerability

🤖 AI Analysis
How it works

The vulnerability results from improper authorization (CWE-285), meaning the access control mechanism does not properly verify the requesting user's permissions. An attacker possessing an account with low privilege level can send a specially crafted network request without requiring any interaction from the victim. Successful exploitation of the vulnerability leads to arbitrary code execution in the context of the Azure CycleCloud server.

Impact

An attacker can gain full control over the Azure CycleCloud instance, obtaining the ability to read and modify data as well as disrupt the operation of managed compute clusters. The scope of impact extends beyond the directly vulnerable component (S:C), creating a risk of lateral movement within the cloud infrastructure.

Mitigation & patch

Security patches available from the vendor should be applied in accordance with references published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43602. Immediate implementation of updates is recommended, as well as restricting access to the Azure CycleCloud management interface exclusively to trusted IP addresses.

Who is affected

Microsoft Azure CycleCloud — versions specified in vendor references (Microsoft Security Response Center).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Cyclecloud

    APP
    Microsoft
    8.0.0 – 8.6.5 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-43469HIGH8.8ten sam produkt

Azure CycleCloud Remote Code Execution Vulnerability

CVE-2024-38195HIGH7.8ten sam produkt

Azure CycleCloud Remote Code Execution Vulnerability

CVE-2024-38092HIGH8.8ten sam produkt

Azure CycleCloud Elevation of Privilege Vulnerability

CVE-2024-29993HIGH8.8ten sam produkt

Azure CycleCloud Elevation of Privilege Vulnerability

CVE-2022-41085HIGH7.5ten sam produkt

Azure CycleCloud Elevation of Privilege Vulnerability