Skip to main content
MSRC

2022

Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972)

Monday, May 09, 2022

Summary Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole.

Read More

Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution

Thursday, April 28, 2022

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers’ databases.

Read More

Congratulations and New Swag Awards for the Top MSRC 2022 Q1 Security Researchers!

Thursday, April 21, 2022

Today, we are excited to recognize this quarter’s Microsoft Researcher Recognition Program leaderboard and share new swag awards and improvements to the leaderboard. Congratulations and thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2022 Q1 Security Researcher Leaderboard are: Yuki Chen, William Söderberg, and Terry Zhang @pnig0s!

Read More

Expanding High Impact Scenario Awards for Microsoft Bug Bounty Programs

Thursday, April 14, 2022

We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions.

Read More

Microsoft’s Response to CVE-2022-22965 Spring Framework

Tuesday, April 05, 2022

Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.

Read More