Azure  PostgreSQL  User  Databases  Were


              Exposed Due to Critical Vulnerabilities


              By Randy Reiter CEO of Don’t Be Breached





            April, 2022 Microsoft reported that vulnerabilities in its Azure Database for PostgreSQL could
            have let Hackers gain access to other customers' databases after bypassing authentication. "By
            exploiting  an  elevated  permissions  bug  in  the  Flexible  Server  authentication  process  for  a
            replication user, a malicious user could leverage an improperly anchored regular expression to
            bypass  authentication  to  gain  access  to  other  customers’  databases"  the  Microsoft  Security
            Response Center reported.

            The cloud security firm Wiz's research team discovered the security vulnerabilities. An attacker
            could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially
            exfiltrating all the information stored in the database, says Ami Luttwak, co-founder and CTO at
            Wiz.

            Microsoft said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified
            it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the
            vulnerabilities to access customer data. Wiz said Microsoft awarded its researchers a $40,000
            bug bounty — the amount can be viewed as confirmation of the vulnerability’s severity.





































                                                                                                            195