VDB

GCVE-110-CLOUD-2024-0050

GCVE-110-CLOUD-2024-0050
Advisory Published
Vulnetix · Advisory published February 13, 2024
When the ASR service is enabled, it uses an Automation Account with a System-Assigned Managed Identity to manage Site Recovery extensions on VMs. However, the Runbook (a set of scripts for managing extensions) executed by the Automation Account had its job output visible to users, and this output mistakenly included a cleartext Management-scoped Access Token for the System-Assigned Managed Identity, which possesses the Contributor role over the entire Azure subscription. Therefore, lower-privileged user roles who could access the Automation Account's job output could see and use this Access Token. This access allowed these users to impersonate the Managed Identity, thereby elevating their privileges to that of a Contributor for the whole subscription, including the ability to execute commands on VMs as `NT Authority\\SYSTEM`.

Affected Products

VendorProductVersionsPlatforms
AzureAzure Site Recovery (ASR)
AzureCloud Services
AzureManaged Identity

References

advisory

Browse GCVE Records

71,925 records in the GCVE database · Updated July 13, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›