Microsoft Azure Vulnerability Allowed Code Execution, Data Theft


Tracked as CVE-20220-29972, the security hole was identified in the third-party Open Database Connectivity (ODBC) data connector used in Integration Runtime (IR) in the affected Azure services to connect to Amazon Redshift.

A remote attacker could have exploited the flaw to execute arbitrary commands across the IR infrastructure, impacting multiple tenants, the tech giant explains.

Microsoft notes that the issue allowed a user running jobs in a Synapse pipeline to execute remote commands, potentially acquiring the Azure Data Factory service certificate and running commands in another tenant’s Data Factory IR.