Microsoft patches critical Azure Service Fabric Explorer (SFX) vulnerability

Microsoft has patched a vulnerability in Azure Service Fabric Explorer (SFX) in its Patch Tuesday updates. The flaw, tracked as CVE-2022-35829, has a severity rating of 6.2 and could allow attackers to gain administrator privileges.

SFX is an open-source tool for inspecting and managing Azure Service Fabric Clusters, a distributed system platform for building and deploying cloud applications based on microservices.

The bug in question allows a user with privileges to “Create Compose Application via the SFX client and use privileges to create a rogue app and misuse a stored cross-site scripting (XSS) vulnerability in the “Application name” field to slip the payload.

The flaw therefore allows a threat actor to send the specially crafted input during the application process, which ultimately leads to its execution.

“This includes performing a Cluster Node reset, which erases all customized settings such as passwords and security configurations, allowing an attacker to create new passwords and gain full administrator privileges,” said Orca Security researchers Lidor Ben Shitrit and Roee Sagi.

The vulnerability was discovered and reported by Orca Security on August 11, 2022. Dubbed the vulnerability FabriXss (pronounced “fabrics”), the flaw impacts Azure Fabric Explorer version 8.1.316 and older.

The sources for this piece include an article in TheHackerNews.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web