VDB
GCVE-110-CLOUD-2023-0031
GCVE-110-CLOUD-2023-0031
Advisory Published
Binary Security found two vulnerabilities in the legacy Azure Resource Manager (ARM) REST API.
The first vulnerability allowed an attacker with Reader access to an Azure Function, acting from
a Windows host, to get an admin token that could be exchanged for a master key granting access
to all operations in Kudu (the Functions deployment service). This would allow them to tamper
with the function by deploying malicious code to it. The other vulnerability allowed an attacker
with Reader access to an Azure App Service to read all process environment variables, including
Key Vault references. For Azure Functions, this would result in complete compromise of the app.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Azure | Key Vault | — | — |
| Azure | Functions | — | — |
| Azure | Azure Resource Manager (ARM), Azure Functions, Azure App Services | — | — |
| Azure | Cloud Services | — | — |
| Azure | App Service | — | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.