Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Cloud Security

Cloud Users Warned of Data Exposure Risk From Command-Line Tools

Cloud security specialists found data exposure risk associated with Azure, AWS, and Google Cloud command-line tools.

Cloud security firm Orca is warning organizations that command-line tools can expose sensitive information, but major cloud services providers say the behavior is expected.

Microsoft Azure, AWS and Google Cloud provide command-line interface (CLI) tools that customers can use for interacting with each platform. 

Researchers found that some commands associated with these tools can expose information in the form of environment variables, in build log files. 

“If bad actors get their hands on these environment variables, this could potentially lead to view sensitive information including credentials, such as passwords, user names, and keys, which could allow them to access any resources that the repository owners can,” Orca explained on Tuesday.

According to Orca, by default, CLI commands are assumed to be running in a secure environment, but they may also be used for continuous integration and continuous development (CI/CD) environments, which is where the security risks can emerge. 

The issue was initially discovered by a Palo Alto Networks researcher in the Azure CLI last year. Microsoft assigned the vulnerability the identifier CVE-2023-36052 and patched it in November 2023. 

“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” Microsoft said in its advisory. 

Orca later discovered that the same issue, which it has named LeakyCLI, also impacts AWS and Google Cloud CLI tools. 

Advertisement. Scroll to continue reading.

However, AWS and Google Cloud have described it as “expected behavior”, according to the cloud security firm, but their customers can take steps to prevent the exposure of sensitive data.

“We’re appreciative of the researcher’s work in identifying and reporting their findings to Google,” a Google Cloud spokesperson told SecurityWeek. “We do not consider this specific finding a vulnerability as environment variables are inherently not secure for storing secrets in production workloads. Google recommends using Secrets manager functions built into gcloud deploy cmd to store credentials.”

As for AWS, it told Orca that it will update its documentation for customers. The cloud giant recommends not storing secrets in environment variables, and reviewing build logs for sensitive information. 

Related: Inside AWS’s Crusade Against IP Spoofing and DDoS Attacks

Related: Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers

Related: Vulnerability Allowed Takeover of AWS Apache Airflow Service

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights