Cloud infrastructure security company Ermetic has identified a cross-site request forgery (CSRF) vulnerability affecting the source control management (SCM) service Kudu that could be used to achieve remote code execution (RCE) in a number of Azure services.
Kudu is a web-based Git repository manager that supports the deployment and management of code in Azure. It powers a number of Azure App Service features. Functions, App Service, Logic Apps, and other Azure services all make use of the service.
From the SCM panel, which makes use of Kudu and requires Azure Active Directory (AAD) authentication, administrators can manage Azure applications. The App Service, Function Apps, and Logic Apps Azure services by default deploy the SCM panel.