VDB

GCVE-110-CLOUD-2023-0024

GCVE-110-CLOUD-2023-0024
Advisory Published
Vulnetix · Advisory published August 4, 2023
A vulnerability in Power Platform could lead to unauthorized access to Custom Code functions used for custom connectors, thereby allowing cross-tenant information disclosure of secrets or other sensitive information if these were embedded in a Custom Code function. The issue occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform. An attacker who determined the hostname of the Azure Function associated with the custom connector could interact with the function without authentication. Microsoft fixed the issue by requiring Azure Function keys for accessing the Function hosts and their HTTP trigger. An initial fix was deployed (on June 7th, 2023), but customers using affected Custom Code in a "soft deleted state" (part of a data recovery mechanism) remained vulnerable until a later fix was applied (on August 2nd, 2023).

Affected Products

VendorProductVersionsPlatforms
AzurePower Platform
AzureFunctions

References

advisory
advisory

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›