Microsoft is accused of quietly fixing an Azure Backup for AKS privilege escalation flaw after rejecting the researcher’s report and helping block a CVE. Justin O’Leary says the issue let a low-privileged Backup Contributor gain cluster-admin access through Trusted Access, while Microsoft denies a vulnerability and says no product changes were made. #AzureBackupforAKS #AKS #JustinOLeary #MSRC #CERTCC #MITRE
Keypoints
- Justin O’Leary reported a critical Azure Backup for AKS flaw to Microsoft on March 17.
- The bug allegedly let Backup Contributor users gain cluster-admin privileges without Kubernetes access.
- Microsoft rejected the report, saying the behavior required pre-existing administrative privileges.
- CERT/CC validated the issue, but a CVE was blocked under CNA hierarchy rules.
- O’Leary says Microsoft later changed the behavior without issuing a public advisory.