自定义问答权限提升漏洞

此漏洞的影响非常严重，攻击者可以利用它绕过身份验证和授权机制，从而访问敏感数据或执行未经授权的操作。攻击者可能能够读取、修改或删除存储在 Azure Cognitive Service for Language 中的数据，甚至可能利用此漏洞进行横向移动，攻击其他连接到同一 Azure 订阅的资源。由于 Azure Cognitive Service for Language 广泛应用于各种应用场景，例如客户服务、知识管理和内容分析，因此该漏洞的潜在影响范围非常广泛。

Organizations heavily reliant on Azure Cognitive Service for Language for processing sensitive data, particularly those using older versions (1.0.0 and earlier), are at significant risk. Those with complex access control configurations or those who have not implemented robust RBAC policies are also more vulnerable.

• azure: Review Azure Activity Logs for suspicious API calls related to the Cognitive Service for Language, specifically focusing on attempts to bypass access controls. • azure: Use Azure Security Center to monitor for unusual user activity and privilege escalation attempts. • generic web: Monitor network traffic to and from the Cognitive Service endpoint for unexpected patterns or unauthorized requests. • generic web: Review application logs for errors or anomalies that might indicate an attempted exploit.

1. 2025-12-18Disclosure

   disclosure

1. 已保留2025-11-06
2. 发布日期2025-12-18
3. 修改日期2026-04-16
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即将 Azure Cognitive Service for Language 升级至 2.5.4 或更高版本。如果升级不可行，可以考虑实施额外的安全控制措施，例如限制对自定义问答功能的访问，并实施严格的身份验证和授权策略。此外，建议定期审查 Azure Cognitive Service for Language 的配置，并确保遵循最佳安全实践。监控 Azure 活动日志，寻找任何异常活动，例如未经授权的数据访问尝试。