{ "id": "CVE-2020-16904", "sourceIdentifier": "secure@microsoft.com", "published": "2020-10-16T23:15:13.960", "lastModified": "2024-11-21T05:07:21.637", "vulnStatus": "Modified", "cveTags": [], "descriptions": [ { "lang": "en", "value": "

An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.

\n

An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.

\n

This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.

\n" }, { "lang": "es", "value": "Se presenta una vulnerabilidad de escalada de privilegios en la manera que Azure Functions comprueba claves de acceso. Un atacante no autenticado que explotara con \u00e9xito esta vulnerabilidad podr\u00eda invocar una Funci\u00f3n HTTP sin la apropiada autorizaci\u00f3n. Esta actualizaci\u00f3n de seguridad aborda la vulnerabilidad al comprobar correctamente unas claves de acceso usadas para acceder a unas funciones HTTP, tambi\u00e9n se conoce como \"Azure Functions Elevation of Privilege Vulnerability\"" } ], "metrics": { "cvssMetricV31": [ { "source": "secure@microsoft.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE" }, "exploitabilityScore": 3.9, "impactScore": 1.4 }, { "source": "nvd@nist.gov", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH" }, "exploitabilityScore": 3.9, "impactScore": 5.9 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL" }, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-863" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_functions:-:*:*:*:*:*:*:*", "matchCriteriaId": "55C8D12F-35AE-4DEF-B47C-D686B0F11B0B" } ] } ] } ], "references": [ { "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16904", "source": "secure@microsoft.com", "tags": [ "Patch", "Vendor Advisory" ] }, { "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16904", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch", "Vendor Advisory" ] } ] }