VDB

GCVE-110-CLOUD-2023-0031

GCVE-110-CLOUD-2023-0031
Advisory Published
Vulnetix · Advisory published June 12, 2023
Binary Security found two vulnerabilities in the legacy Azure Resource Manager (ARM) REST API. The first vulnerability allowed an attacker with Reader access to an Azure Function, acting from a Windows host, to get an admin token that could be exchanged for a master key granting access to all operations in Kudu (the Functions deployment service). This would allow them to tamper with the function by deploying malicious code to it. The other vulnerability allowed an attacker with Reader access to an Azure App Service to read all process environment variables, including Key Vault references. For Azure Functions, this would result in complete compromise of the app.

Affected Products

VendorProductVersionsPlatforms
AzureKey Vault
AzureFunctions
AzureAzure Resource Manager (ARM), Azure Functions, Azure App Services
AzureCloud Services
AzureApp Service

References

advisory

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›