Microsoft Refuses CVE for Critical Azure Backup Vulnerability

Microsoft refused to issue a CVE for a critical Azure Backup for AKS vulnerability. A security researcher says they quietly patched it anyway, and Microsoft denies anything was changed. Justin O'Leary reported the flaw to Microsoft on March 17th. He classified it as a Confused Deputy bug: an attacker with only the limited "Backup Contributor" role could trigger Azure's Trusted Access feature to grant the backup service full control of the target Kubernetes cluster. On April 13th, Microsoft dismissed the report, claiming it required pre-existing admin access, a characterization O'Leary disputes, since Backup Contributor by itself was enough. CERT validated the bug three days later and scheduled a public advisory for June 1st. On May 4th, Microsoft asked MITRE not to issue a CVE. CERT closed the case under the rules that let vendors decide CVE issuance for their own products. Microsoft told BleepingComputer that no product changes were made. O'Leary documented that the attack stopped working anyway: new error messages, added permission checks, and Trusted Access now requires manual configuration. Without a CVE, affected organizations have no public record of the exposure or when it was fixed. Sources: https://www.bleepingcomputer.com/news/security/microsoft-rejects-critical-azure-vulnerability-report-no-cve-issued/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #microsoft #azure