Azure DevOps Vulnerabilities Discovered, Posing Security Risks
/ 1 min read
🔍 Significant vulnerabilities discovered in Azure DevOps pose security risks. Security researchers from Binary Security have identified multiple vulnerabilities in Azure DevOps, including flaws that allow for Server-Side Request Forgery (SSRF) and Carriage Return Line Feed (CRLF) injection. The first vulnerability, located in the ‘endpointproxy’ functionality, enables attackers to access internal services, potentially exposing sensitive data. A second flaw in the Service Hooks feature allows for arbitrary HTTP header injection. Alarmingly, initial fixes for these vulnerabilities were bypassed using DNS rebinding techniques, which could lead to severe consequences, including unauthorized access and data leakage. Microsoft has acknowledged these issues and awarded $15,000 in bounties to the researchers, urging users to apply security patches and enhance their authentication and monitoring practices.
