The CVE That Wasn't: Microsoft's Azure Vulnerability Rejection and the Eroding Trust in Cloud Disclosure
A security researcher identified a critical vulnerability in Microsoft Azure's identity management that could expose sensitive data across organizations. Microsoft rejected the submission, labeling the issue as 'by design' and did not issue a CVE identifier, which raises concerns about transparency in cloud security. This decision contradicts previous actions taken by Microsoft regarding similar vulnerabilities, potentially undermining trust in the coordinated vulnerability disclosure process.
- ▪A researcher found a cross-tenant access flaw in Azure that could expose customer data.
- ▪Microsoft's Security Response Center rejected the vulnerability as intended functionality and did not issue a CVE.
- ▪This rejection is inconsistent with Microsoft's past actions on similar vulnerabilities, raising concerns about transparency.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 1699525) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Susilo harjo Posted on May 19 • Originally published at susiloharjo.web.id The CVE That Wasn't: Microsoft's Azure Vulnerability Rejection and the Eroding Trust in Cloud Disclosure #cybersecurity #infosec #security TL;DR: A security researcher discovered a critical cross-tenant access flaw in Microsoft Azure's identity management layer, capable of exposing sensitive customer data across organizational boundaries — and provided full technical documentation with proof-of-concept code.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
