VDB

GCVE-110-CLOUD-2022-0042

GCVE-110-CLOUD-2022-0042
Advisory Published
Vulnetix · Advisory published March 9, 2022
Azure Logic Apps use API Connections to authenticate actions to services. Having Contributor access to an Azure Resource Manager (ARM) API Connection would allow someone to create arbitrary role assignments as the connected user. This was supposed to be limited to actions at the Resource Group level, but an attacker could escape to the Subscription or Root level with a path traversal payload. The root cause of this behavior was that such a payload would meet the Swagger API definition, and it would be resolved by the server, resulting in a request to an unintended scope.

Affected Products

VendorProductVersionsPlatforms
AzureAzure Logic Apps
AzureLogic Apps

References

advisory

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›