Microsoft Fixes Critical Azure CLI Flaw That Leaked Credentials in Logs
Microsoft has fixed a critical security vulnerability that could allow attackers to steal credentials from GitHub Actions or Azure DevOps logs. The vulnerability, reported by a security researcher, allowed unauthenticated attackers to access plain text contents in CI/CD logs created using Azure CLI. Microsoft has released an update (Azure CLI version 2.54) to address the vulnerability and advises customers to update to the latest version. They also recommend steps to prevent accidental exposure of secrets in logs, such as keeping Azure CLI updated, avoiding exposing CLI output in logs, and regularly rotating keys and secrets. Microsoft has implemented a new default configuration to restrict the presentation of secrets in CLI output and has enhanced credential redaction capabilities in GitHub Actions and Azure Pipelines.