CVE-2022-39327

NameCVE-2022-39327
DescriptionAzure CLI is the command-line interface for Microsoft Azure. In versions previous to 2.40.0, Azure CLI contains a vulnerability for potential code injection. Critical scenarios are where a hosting machine runs an Azure CLI command where parameter values have been provided by an external source. The vulnerability is only applicable when the Azure CLI command is run on a Windows machine and with any version of PowerShell and when the parameter value contains the `&` or `|` symbols. If any of these prerequisites are not met, this vulnerability is not applicable. Users should upgrade to version 2.40.0 or greater to receive a a mitigation for the vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
azure-cli (PTS)bullseye2.18.0-2fixed
bookworm2.45.0-1fixed
sid, trixie2.65.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
azure-clisource(unstable)(not affected)

Notes

- azure-cli <not-affected> (Windows-specific vulnerabilities)
https://github.com/Azure/azure-cli/security/advisories/GHSA-47xc-9rr2-q7p4
https://github.com/Azure/azure-cli/pull/23514
https://github.com/Azure/azure-cli/pull/24015
Search for package or bug name: Reporting problems