The URI host domain must match one of the known domain names for Key Vault or Managed HSM.Īzure Key Vault and Managed HSM use the same pattern for host names: typically, a customer-selected name followed by the Azure cloud-specific domain name for the service however, Managed HSM may use multi-level names for region support. The URI must be a well-formed absolute URI.Recommended actionsĪll applications accepting user-provided URIs should perform the following steps to validate a Key Vault or Managed HSM URI: If the URIs aren’t properly validated, an attacker may be able to trick your application into giving up an Azure Active Directory (Azure AD) access token for another Azure service, or to use keys and secrets from another source. URIs could be provided through configuration files, command line interfaces (CLIs), or user interfaces. URIs to secrets to configure an application, including API keys, connection strings, etc.URIs to keys for encryption at rest, often referred to as custom-managed keys (CMK).Affected applicationsĪpplications that accept user-provided URIs for a customer-owned Azure Key Vault or Azure Managed HSM should validate the URIs. User-provided URIs should be validated correctly to mitigate potential leaks.Īpplications should validate URIs as recommended below, and in addition, the Azure SDK team is releasing new Key Vault libraries to provide some defense in depth. Most applications using the Key Vault libraries are safe however, applications that take user-provided URIs to Key Vault or Managed HSM resources like secrets, keys, or certificates may leak authentication information. The Azure SDK team has become aware of a potential risk for developers using the Key Vault libraries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |