Microsoft rejects critical Azure vulnerability report, no CVE issued (bleepingcomputer.com) 7 points by rurban 1mo ago ↗ HN
[–] bell-cot 1mo ago ↗ Not that I'm an Azure expert, or trust Microsoft to tell the truth...but any privilege with "backup" in its name strikes me as security-critical.Any experts care to comment?
[–] olearysec 1mo ago ↗ I'm the researcher. You've nailed it — Backup Contributor automatically granted cluster-admin via Trusted Access, no K8s permissions required. Microsoft called it "expected behavior," then silently patched it.Full writeup with CERT/CC timeline and evidence: https://olearysec.com/research/azure-backup-aks-silent-patch...
2 comments
[ 4.0 ms ] story [ 14.6 ms ] threadAny experts care to comment?
Full writeup with CERT/CC timeline and evidence: https://olearysec.com/research/azure-backup-aks-silent-patch...