Microsoft fixed a critical security vulnerability that could be used by attackers to recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and GitHub Actions.
The vulnerability was identified by a security researcher from Palo Alto’s Prisma Cloud.
Customers who recently used Azure CLI commands were notified through the Azure Portal, Microsoft said. The company has also implemented a new Azure CLI default configuration to bolster security measures, aiming to prevent accidental disclosure of sensitive information.
With the update, settings now restrict the presentation of secrets in the output generated by update commands concerning services within the App Service Family, including Web Apps and Functions.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
“We’re expanding our credential redaction capabilities in GitHub Actions and Azure Pipelines to identify a wider number of recognizable key patterns in build logs and mask them” Microsoft shared in a blog post.
The company has also advised existing users to update Azure CLI to the latest release, avoid exposing Azure CLI output in logs or publicly accessible location and rotate keys on a regular basis.