A security flaw has been unearthed in Microsoft’s Azure App Service that resulted in the exposure of source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years since September 2017.
The vulnerability, codenamed “NotLegit,” was reported to the tech giant by Wiz researchers on October 7, 2021, following which mitigations have been undertaken to fix the information disclosure bug in November. Microsoft said a “limited subset of customers” are at risk, adding “Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers.”
The Azure App Service (aka Azure Web Apps) is a cloud computing-based platform for building and hosting web applications. It allows users to deploy source code and artifacts to the service using a local Git repository, or via repositories hosted on GitHub and Bitbucket.
images from Hacker News