CVE-2023-36052: 
Azure CLI vulnerability analysis and mitigation

Azure CLI REST Command Information Disclosure Vulnerability (CVE-2023-36052) was discovered and disclosed in November 2023. This vulnerability affects Microsoft Azure CLI versions up to (excluding) 2.53.1. The vulnerability received a high severity CVSS v3.1 base score of 8.6 (NVD, Microsoft Advisory).

The vulnerability is classified as an Exposure of Private Personal Information to an Unauthorized Actor (CWE-359). It has a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, with high confidentiality impact but no impact on integrity or availability (NVD).

The vulnerability could expose sensitive information in the form of environment variables when certain CLI commands are used, particularly in CI/CD environments. This exposure could lead to unauthorized access to credentials, passwords, usernames, and keys, potentially allowing attackers to access resources that repository owners can access (Hacker News).

Microsoft addressed this vulnerability through security updates released in November 2023. Users should upgrade to Azure CLI version 2.53.1 or later to mitigate this vulnerability (NVD).

The vulnerability has been codenamed LeakyCLI by cloud security researchers. While Microsoft has addressed the issue with a CVE and patch, similar issues were identified in other cloud providers' CLI tools, though these providers consider such behavior expected and recommend using dedicated secrets management services (Hacker News).