VDB

GCVE-VVD-CLOUD-2024-0052

GCVE-VVD-CLOUD-2024-0052
Advisory Published
Vulnetix · Advisory published January 31, 2024
Legit Security found a zero-click vulnerability in Azure Pipelines that allows an attacker to access secrets and internal information and perform actions in elevated permissions in the context of a pipeline workflow. This could allow attackers to move laterally in the organization and initiate supply chain attacks. When a pipeline is triggered by a "pipeline resource trigger," it shows in the platform as "Automatically Triggered For …" Instead of running in fork default permissions, preventing any access to secrets and sensitive actions, Azure Pipelines "confuses" the trigger for an internal build allowing access sensitive build secrets. Exploitability depends on a public GitHub repository that runs Azure pipelines on pull-request, with default Azure pipeline fork configurations to trigger pipeline run, and Pipeline-Triggers.
Download JSON Open in Console

Affected Products

VendorProductVersionsPlatforms
GitHubAzure DevOps Services, Azure Pipelines
AzureDevOps
AzureCloud Services
AzureAzure DevOps Services, Azure Pipelines

Aliases

CVE-2023-36561

Transitive aliases

GSD-2023-36561GHSA-6r24-858h-vm25BDU:2024-04512msrc_CVE-2023-36561WID-SEC-W-2023-2611MSRC_CVE-2023-36561EUVD-2023-40507

References

Azure Devops Zero-Click CI/CD Vulnerability
advisory
advisory

Browse GCVE Records

100 records in the GCVE database · Updated April 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

Open in Console Download JSON
$ Console Community · 100/wk Open console ›