Wiz.io, a cloud security vendor, has shared the issue with Microsoft’s Security Response Centre (MSRC). Wiz.io said Azure Cloud customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure.
This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public, Microsoft said in a statement on Thursday.
Microsoft has notified the customers that they believe are at risk due to this. Microsoft said it will work with our customers on securing their applications.
App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory are impacted.
This happens because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu), says Microsoft.
All users of Local Git were not impacted by the vulnerability and the Azure App Service Windows was not affected, Microsoft said.
Microsoft updated all PHP images to disallow serving the .git folder as static content as a defence in depth measure.
Microsoft notified customers who were impacted due to the activation of in-place deployment with specific guidance on how to mitigate the issue.
The Wiz Research Team said it first notified Microsoft of the issue on October 7 and the fix was deployed in November and customers were notified by December.
Wiz.io said small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021.