Azure Config Review - Nuclei Templates v10.0.0 🎉
🔥 Release Highlights 🔥
We're excited to announce the expansion of the Nuclei Templates with a new suite specifically designed for Azure Cloud Configurations. This update introduces a series of specialized security checks tailored for the comprehensive components of Azure services, including VMs, App Services, SQL Databases, and more. These new templates are crafted to pinpoint common misconfigurations, ensure compliance with regulatory standards, and maintain adherence to industry best practices, leveraging advanced features such as flow and code
The introduction of these Azure-specific templates empowers security teams to conduct thorough security audits of their Azure environments, uncovering crucial misconfigurations and vulnerabilities. Moreover, this release offers customizable checks that can be tailored to meet the unique operational demands of different teams, aiding in the prompt detection and remediation of security issues.
We encourage contributors and reviewers to provide their valuable feedback and suggestions to help enhance and evolve these Azure security templates further. For more details, please visit our latest blog post.
Other Highlights
- [CVE-2024-45195] Apache OFBiz - Remote Code Execution (@dhiyaneshdk) [high] 🔥
- [CVE-2024-38472] Apache HTTPd Windows UNC - Server-Side Request Forgery (@pdteam) [high] 🔥
- [CVE-2024-28987] SolarWinds Web Help Desk - Hardcoded Credential (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2024-22120] Zabbix Server - Time-Based Blind SQL injection (@CodeStuffBreakThings) [critical] 🔥
- [CVE-2024-20440] Cisco Smart Licensing - UnAuth Credentials Exposure (@iamnoooob, @parthmalhotra, @pdresearch) [high] 🔥
- [CVE-2024-20439] Cisco Smart Licensing Utility - Admin Credentials (@iamnoooob, @parthmalhotra, @pdresearch) [critical] 🔥
- [CVE-2024-20419] Cisco SSM On-Prem <= 8-202206 - Account Takeover (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2024-8517] SPIP BigUp Plugin - Remote Code Execution (@dhiyaneshdk) [critical] 🔥
- [CVE-2024-7029] AVTECH IP Camera - Command Injection (@dhiyaneshdk) [high] 🔥
- [CVE-2023-34105] SRS - Command Injection (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
What's Changed
New Templates Added: 253
| CVEs Added: 35
| First-time contributions: 2
- [CVE-2024-45388] Hoverfly < 1.10.3 - Arbitrary File Read (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-45195] Apache OFBiz - Remote Code Execution (@dhiyaneshdk) [high] 🔥
- [CVE-2024-44849] Qualitor <= 8.24 - Remote Code Execution (@s4e-io) [critical]
- [CVE-2024-41955] Open Redirect in Login Redirect - MobSF (@Farish) [medium]
- [CVE-2024-41667] OpenAM<=15.0.3 FreeMarker - Template Injection (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-38472] Apache HTTPd Windows UNC - Server-Side Request Forgery (@pdteam) [high] 🔥
- [CVE-2024-29889] GLPI 10.0.10-10.0.14 - SQL Injection (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-29882] HTTP API DOM - XSS on JSONP callback (@rootxharsh, @iamnoooob, @pdresearch) [high]
- [CVE-2024-28987] SolarWinds Web Help Desk - Hardcoded Credential (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2024-22120] Zabbix Server - Time-Based Blind SQL injection (@CodeStuffBreakThings) [critical] 🔥
- [CVE-2024-20440] Cisco Smart Licensing - UnAuth Credentials Exposure (@iamnoooob, @parthmalhotra, @pdresearch) [high] 🔥
- [CVE-2024-20439] Cisco Smart Licensing Utility - Admin Credentials (@iamnoooob, @parthmalhotra, @pdresearch) [critical] 🔥
- [CVE-2024-20419] Cisco SSM On-Prem <= 8-202206 - Account Takeover (@iamnoooob, @rootxharsh, @pdresearch) [critical] 🔥
- [CVE-2024-8517] SPIP BigUp Plugin - Remote Code Execution (@dhiyaneshdk) [critical] 🔥
- [CVE-2024-7786] Sensei LMS < 4.24.2 - Email Template Leak (@s4e-io) [high]
- [CVE-2024-7029] AVTECH IP Camera - Command Injection (@dhiyaneshdk) [high] 🔥
- [CVE-2024-6928] Opti Marketing <= 2.0.9 - SQL Injection (@s4e-io) [high]
- [CVE-2024-6926] Viral Signup <= 2.1 - SQL Injection (@s4e-io) [critical]
- [CVE-2024-6924] TrueBooker <= 1.0.2 - SQL Injection (@s4e-io) [high]
- [CVE-2024-6846] SmartSearchWP <= 2.4.4 - Unauthenticated Log Purge (@s4e-io) [medium]
- [CVE-2024-6586] Lightdash v0.1024.6 - Server-Side Request Forgery (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2024-6159] Push Notification for Post and BuddyPress <= 1.93 - SQL Injection (@s4e-io) [critical]
- [CVE-2023-47684] Essential Grid <= 3.1.0 - Cross-Site Scripting (@0xPugal) [medium]
- [CVE-2023-41621] Emlog Pro v2.1.14 - Cross-Site Scripting (@ritikchaddha) [medium]
- [CVE-2023-41597] EyouCms v1.6.2 - Cross-Site Scripting (@ritikchaddha) [medium]
- [CVE-2023-35155] XWiki - Cross-Site Scripting (@ritikchaddha) [medium]
- [CVE-2023-34105] SRS - Command Injection (@iamnoooob, @rootxharsh, @pdresearch) [high] 🔥
- [CVE-2023-22621] Strapi Versions <=4.5.5 - SSTI to Remote Code Execution (@iamnoooob, @rootxharsh, @pdresearch) [high]
- [CVE-2023-6329] Control iD iDSecure - Authentication Bypass (@dhiyaneshdk, @princechaddha) [critical]
- [CVE-2014-5187] Tom M8te (tom-m8te) Plugin 1.5.3 - Directory Traversal (@dhiyaneshdk) [medium]
- [CVE-2014-5181] Last.fm Rotation 1.0 - Path Traversal (@dhiyaneshdk) [medium]
- [CVE-2014-4941] Cross RSS 1.7 - Local File Inclusion (@dhiyaneshdk) [medium]
- [CVE-2014-4577] WP AmASIN – The Amazon Affiliate Shop - Local File Inclusion (@dhiyaneshdk) [medium]
- [CVE-2007-2449] Apache Tomcat 4.x-7.x - Cross-Site Scripting (@pdteam, @ritikchaddha) [medium]
- [CVE-2000-0760] Jakarta Tomcat 3.1 and 3.0 - Exposure (@Thabisocn) [low]
- [azure-custom-admin-role-unrestricted] Azure Subscription Administrator Custom Role Unrestricted Access (@princechaddha) [high]
- [azure-custom-owner-role-unrestricted] Azure Custom Owner Role Available (@princechaddha) [medium]
- [azure-iam-role-resource-lock-unassigned] Azure IAM Role for Resource Locking Not Assigned (@princechaddha) [medium]
- [azure-entra-id-guest-users-unmonitored] Azure Entra ID Guest Users Unmonitored (@princechaddha) [medium]
- [azure-mfa-not-enabled-privileged-users] Azure MFA Not Enabled for All Privileged Users (@princechaddha) [high]
- [azure-db-mysql-delete-unalerted] Azure MySQL Database Delete Alert Not Configured (@princechaddha) [high]
- [azure-delete-lb-alert-unconfigured] Azure Delete Load Balancer Alert Not Configured (@princechaddha) [high]
- [azure-key-vault-delete-unalerted] Azure Key Vault Delete Alert Not Configured (@princechaddha) [high]
- [azure-keyvault-update-unalerted] Azure Key Vault Update Alert Not Configured (@princechaddha) [high]
- [azure-lb-create-update-missing] Azure Load Balancer Create or Update Alert Not Configured (@princechaddha) [high]
- [azure-mysql-db-update-unalerted] Azure MySQL Database Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-nsg-create-update-unalerted] Azure Network Security Group Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-nsg-delete-unalerted] Azure Network Security Group Delete Alert Not Configured (@princechaddha) [high]
- [azure-nsg-rule-delete-unalerted] Azure NSG Rule Delete Alert Not Configured (@princechaddha) [high]
- [azure-nsg-rule-update-unalerted] Azure Network Security Group Rule Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-policy-assignment-create-alert-missing] Azure Policy Assignment Create Alert Not Configured (@princechaddha) [high]
- [azure-policy-assignment-delete-unalerted] Azure Policy Assignment Delete Alert Not Configured (@princechaddha) [high]
- [azure-postgresql-db-delete-unalerted] Azure PostgreSQL Database Delete Alert Not Configured (@princechaddha) [high]
- [azure-postgresql-db-update-unalerted] Azure PostgreSQL Database Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-public-ip-delete-unalerted] Azure Public IP Delete Alert Not Configured (@princechaddha) [high]
- [azure-public-ip-update-unalerted] Azure Public IP Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-security-policy-update-unalerted] Azure Update Security Policy Alert Not Configured (@princechaddha) [high]
- [azure-security-solution-delete-unalerted] Azure Security Solution Delete Alert Not Configured (@princechaddha) [high]
- [azure-security-solutions-update-unalerted] Azure Security Solutions Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-sql-database-rename-unalerted] Azure SQL Database Rename Alert Not Configured (@princechaddha) [high]
- [azure-sql-db-update-unalerted] Azure SQL Database Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-sql-delete-db-unalerted] Azure SQL Delete Database Alert Not Configured (@princechaddha) [high]
- [azure-sql-fw-rule-unalerted] Azure SQL Server Firewall Rule Create/Update/Delete Alert Not Configured (@princechaddha) [high]
- [azure-storage-account-delete-unalerted] Azure Storage Account Delete Alert Not Configured (@princechaddha) [high]
- [azure-storage-account-update-unalerted] Azure Storage Account Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-vm-create-update-unalerted] Azure VM Create/Update Alert Not Configured (@princechaddha) [high]
- [azure-vm-deallocate-unalerted] Azure Virtual Machine Deallocate Alert Not Configured (@princechaddha) [high]
- [azure-vm-delete-unalerted] Azure Virtual Machine Delete Alert Not Configured (@princechaddha) [high]
- [azure-vm-poweroff-unalerted] Azure Virtual Machine Power Off Alert Not Configured (@princechaddha) [high]
- [azure-openai-cmk-not-enabled] Azure OpenAI Encryption using Customer-Managed Keys Not Enabled (@princechaddha) [high]
- [azure-openai-managed-identity-not-used] Azure OpenAI Service Instance Managed Identity Not Used (@princechaddha) [medium]
- [azure-openai-private-endpoints-unconfigured] Azure OpenAI Service Instances Not Using Private Endpoints (@princechaddha) [high]
- [azure-openai-public-access-disabled] Azure OpenAI Public Network Access Not Disabled (@princechaddha) [high]
- [azure-aks-api-unrestricted] Azure AKS API Server Access Unrestricted (@princechaddha) [high]
- [azure-aks-api-version-not-latest] Azure AKS Kubernetes API Version Not Latest (@princechaddha) [high]
- [azure-aks-cni-not-configured] Azure AKS Not Using CNI Mode (@princechaddha) [medium]
- [azure-aks-entra-id-unintegrated] Azure AKS Microsoft Entra ID Integration Not Configured (@princechaddha) [high]
- [azure-aks-kubernetes-version-outdated] Azure AKS Kubernetes Version Not Latest (@princechaddha) [low]
- [azure-aks-managed-identity-unassigned] Use System-Assigned Managed Identities for AKS Clusters (@princechaddha) [medium]
- [azure-aks-network-contrib-unassigned] Azure AKS Network Contributor Role Unassigned (@princechaddha) [medium]
- [azure-aks-not-user-assigned] Azure AKS Managed Identity Not User-Assigned (@princechaddha) [high]
- [azure-aks-rbac-unconfigured] Azure AKS RBAC Not Enabled (@princechaddha) [medium]
- [azure-aks-use-private-kv] Azure AKS Encryption at Rest Not Using Private Key Vault (@princechaddha) [high]
- [azure-apim-http2-not-enabled] Azure API Management HTTP/2 Support Not Enabled (@princechaddha) [medium]
- [azure-apim-https-enforcement-missing] Azure API Management HTTPS Enforcement Not Configured (@princechaddha) [high]
- [azure-apim-nv-plaintext-exposure] Azure API Management Non-Encrypted Named Values Exposure (@princechaddha) [high]
- [azure-apim-public-access-disabled] Azure API Management Public Network Access Disabled with Private Endpoint (@princechaddha) [high]
- [azure-apim-resource-logs-not-configured] Azure API Management Service Resource Logs Not Configured (@princechaddha) [medium]
- [azure-apim-system-assigned-identity-unconfigured] Azure API Management Service System-Assigned Managed Identity Not Configured (@princechaddha) [medium]
- [azure-apim-tls-config-weak] Azure API Management Weak TLS Configured (@princechaddha) [medium]
- [azure-apim-user-assigned-id-not-used] Azure API Management User-Assigned Managed Identity Not Configured (@princechaddha) [medium]
- [azure-appservice-always-on-disabled] Azure App Service Always On Disabled (@princechaddha) [medium]
- [azure-appservice-auth-disabled] Azure App Service Authentication Not Enabled (@princechaddha) [medium]
- [azure-appservice-backup-not-enabled] Azure App Service Automated Backup Not Configured (@princechaddha) [medium]
- [azure-appservice-backup-retention-missing] Azure App Service Backup Retention Not Configured (@princechaddha) [medium]
- [azure-appservice-client-cert-disabled] Azure App Service Client Certificate Not Required (@princechaddha) [medium]
- [azure-appservice-entra-id-missing] Azure App Service Microsoft Entra ID Not Configured (@princechaddha) [medium]
- [azure-appservice-ftp-deployment-disabled] Azure App Service Plain FTP Deployment Disabled (@princechaddha) [medium]
- [azure-appservice-ftps-only-not-enabled] Azure App Service FTPS-Only Access Not Enabled (@princechaddha) [medium]
- [azure-appservice-http2-not-enabled] Azure App Service HTTP/2 Not Enabled (@princechaddha) [low]
- [azure-appservice-https-only-not-enforced] Azure App Service HTTPS-Only Not Enforced (@princechaddha) [medium]
- [azure-appservice-insights-not-enabled] Azure App Service Application Insights Not Enabled (@princechaddha) [medium]
- [azure-appservice-remote-debugging-enabled] Azure App Service Remote Debugging Enabled (@princechaddha) [high]
- [azure-appservice-tls-latest-version-missing] Azure App Service TLS Latest Version Not Configured (@princechaddha) [medium]
- [azure-env] Azure Environment Validation (@princechaddha) [info]
- [azure-cosmosdb-auto-failover-missing] Azure Cosmos DB Automatic Failover Not Enabled (@princechaddha) [high]
- [azure-cosmosdb-default-network-access-unrestricted] Azure Cosmos DB Default Network Access Unrestricted (@princechaddha) [medium]
- [azure-functionapp-access-keys-missing] Azure Function Access Keys Configuration (@princechaddha) [high]
- [azure-functionapp-admin-privileges] Azure Functions with Admin Privileges (@princechaddha) [medium]
- [azure-functionapp-appinsights-missing] Application Insights Integration for Azure Function Apps (@princechaddha) [high]
- [azure-functionapp-public-exposure] Exposed Azure Functions (@princechaddha) [high]
- [azure-functionapp-system-assigned-missing] System-Assigned Managed Identities for Azure Functions (@princechaddha) [medium]
- [azure-functionapp-user-assigned-id-missing] User-Assigned Managed Identities for Azure Functions (@princechaddha) [medium]
- [azure-functionapp-vnet-integration-missing] Virtual Network Integration for Azure Functions Not Enabled (@princechaddha) [high]
- [azure-app-tier-cmk-untagged] Customer-Managed Key Not Tagged in Azure App Tier (@princechaddha) [high]
- [azure-database-tier-cmk-absent] Customer-Managed Key Not Configured for Azure Database Tier (@princechaddha) [high]
- [azure-keyvault-audit-not-enabled] Enable AuditEvent Logging for Azure Key Vaults (@princechaddha) [medium]
- [azure-keyvault-cert-keytype-unapproved] Unapproved Certificate Key Type in Azure Key Vaults (@princechaddha) [medium]
- [azure-keyvault-cert-transparency-missing] Missing Certificate Transparency in Azure Key Vaults (@princechaddha) [medium]
- [azure-keyvault-certificate-insufficient-autorenew] Check for Sufficient Certificate Auto-Renewal Period (@princechaddha) [medium]
- [azure-keyvault-network-unrestricted] Unrestricted Network Access to Azure Key Vaults (@princechaddha) [medium]
- [azure-keyvault-recoverability-unconfigured] Key Vault Recoverability Not Configured (@princechaddha) [high]
- [azure-keyvault-ssl-autorenewal-missing] Missing SSL Certificate Auto-Renewal in Azure Key Vaults (@princechaddha) [high]
- [azure-keyvault-trusted-ms-unrestricted] Key Vault Trusted Microsoft Services Access Not Configured (@princechaddha) [medium]
- [azure-keyvault-resource-lock-check] Azure KeyVault Resource Lock Not Enabled (@princechaddha) [high]
- [azure-diag-logs-not-enabled] Diagnostic Logs Not Enabled for Azure Resources (@princechaddha) [medium]
- [azure-diagnostic-categories-misconfigured] Diagnostic Settings Categories on Azure Resources not configured (@princechaddha) [medium]
- [azure-log-profile-all-activities] Azure Log Profile Missing Critical Activity Categories (@princechaddha) [medium]
- [azure-monitor-diagnostic-unrestricted] Azure Monitor Diagnostic Settings for Subscription Activity Log Export Check (@princechaddha) [medium]
- [azure-network-watcher] Azure Network Watcher Service Not Enabled (@princechaddha) [high]
- [azure-nic-ip-forwarding-check] Review Network Interfaces with IP Forwarding Enabled (@princechaddha) [medium]
- [azure-nsg-cifs-unrestricted] Unrestricted CIFS Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-dns-unrestricted] Unrestricted DNS Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-ftp-unrestricted] Unrestricted FTP Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-http-unrestricted] Unrestricted TCP Port 80 Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-https-unrestricted] Unrestricted HTTPS Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-icmp-unrestricted] Unrestricted ICMP Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-mongodb-unrestricted] Unrestricted MongoDB Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-mssql-unrestricted] Unrestricted MS SQL Server Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-mysql-unrestricted] Unrestricted MySQL Database Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-netbios-unrestricted] Unrestricted NetBIOS Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-oracle-db-unrestricted] Unrestricted Oracle Database Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-postgresql-unrestricted] Unrestricted PostgreSQL Database Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-rdp-unrestricted] Unrestricted RDP Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-rpc-unrestricted] Unrestricted RPC Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-smtp-unrestricted] Unrestricted SMTP Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-ssh-unrestricted] Unrestricted SSH Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-telnet-unrestricted] Unrestricted Telnet Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-udp-unrestricted] Unrestricted UDP Access in Azure NSGs (@princechaddha) [high]
- [azure-nsg-restricted-port-range] Restricted Port Range in Azure NSGs (@princechaddha) [medium]
- [azure-vnet-ddos-protection] Azure VNet DDoS Unprotected Check (@princechaddha) [medium]
- [azure-postgres-allow-azure-services-disabled] Azure PostgreSQL Access From Azure Services Disabled (@princechaddha) [high]
- [azure-postgres-connection-throttling-disabled] Azure PostgreSQL Server Connection Throttling Disabled (@princechaddha) [medium]
- [azure-postgres-double-encryption-disabled] Azure PostgreSQL Single Server Double Encryption Not Enabled (@princechaddha) [medium]
- [azure-postgres-log-checkpoints-disabled] Azure PostgreSQL Flexible Server log_checkpoints Disabled (@princechaddha) [medium]
- [azure-postgres-log-connections-disabled] Azure PostgreSQL Log Connections Not Enabled (@princechaddha) [medium]
- [azure-postgres-log-disconnections-disabled] Azure PostgreSQL Log Disconnections Not Enabled (@princechaddha) [medium]
- [azure-postgres-log-duration-disabled] Azure PostgreSQL Log Duration Not Enabled (@princechaddha) [medium]
- [azure-postgresql-geo-backup-disabled] Azure PostgreSQL Geo-Redundant Backup Not Enabled (@princechaddha) [high]
- [azure-postgresql-ssl-enforcement] Azure PostgreSQL SSL Enforcement Not Enabled (@princechaddha) [high]
- [azure-postgresql-storage-autogrow-disabled] Azure PostgreSQL Storage Auto-Growth Disabled (@princechaddha) [high]
- [azure-redis-nonssl-port-disabled] Azure Redis Cache In-Transit Encryption Not Enabled (@princechaddha) [high]
- [azure-redis-tls-version-outdated] Azure Redis Cache TLS Version Not Latest (@princechaddha) [medium]
- [azure-search-service-managed-identity-disabled] Azure Search Service Managed Identity Not Enabled (@princechaddha) [medium]
- [azure-defender-auto-provisioning-disabled] Azure Defender for Cloud Automatic Provisioning Disabled (@princechaddha) [medium]
- [azure-servicebus-public-access-disabled] Azure Service Bus Public Network Access Disabled (@princechaddha) [high]
- [azure-servicebus-tls-version-outdated] Azure Service Bus Namespace TLS Version Not Latest (@princechaddha) [medium]
- [azure-sql-auditing-disabled] Azure SQL Server Auditing Not Enabled (@princechaddha) [medium]
- [azure-sql-failover-not-enabled] Azure SQL Failover Groups Not Enabled (@princechaddha) [medium]
- [azure-sql-mi-tde-cmk-not-enabled] Azure SQL MI TDE Not Using Customer-Managed Keys (@princechaddha) [medium]
- [azure-sql-mi-tls-version-outdated] Azure SQL Managed Instance TLS Version Not Latest (@princechaddha) [medium]
- [azure-sql-tde-cmk-not-used] Azure SQL TDE Protector Not Using BYOK (@princechaddha) [medium]
- [azure-sql-tde-not-enabled] Azure SQL Transparent Data Encryption Not Enabled (@princechaddha) [medium]
- [azure-sql-va-emails-unconfigured] Azure SQL Classic VA Emails Unconfigured (@princechaddha) [medium]
- [azure-blob-anonymous-access-disabled] Azure Blob Anonymous Access Disabled (@princechaddha) [medium]
- [azure-blob-immutable-not-enabled] Azure Blob Immutable Storage Not Enabled (@princechaddha) [high]
- [azure-blob-lifecycle-not-enabled] Azure Blob Storage Lifecycle Management Not Enabled (@princechaddha) [medium]
- [azure-blob-service-logging-disabled] Azure Storage Blob Service Logging Not Enabled (@princechaddha) [medium]
- [azure-blob-soft-delete-disabled] Azure Blob Storage Soft Delete Not Enabled (@princechaddha) [medium]
- [azure-storage-blob-public-access] Azure Storage Blob Public Access Not Disabled (@princechaddha) [medium]
- [azure-storage-byok-not-used] Azure Storage Account Not Using BYOK (@princechaddha) [high]
- [azure-storage-cmk-not-used] Azure Storage Account Not Using CMK (@princechaddha) [high]
- [azure-storage-cross-tenant-replication-disabled] Azure Storage Cross-Tenant Replication Disabled (@princechaddha) [high]
- [azure-storage-encryption-missing] Azure Storage Infrastructure Encryption Not Enabled (@princechaddha) [high]
- [azure-storage-min-tls-version] Azure Storage Minimum TLS Version Not Set to TLS1_2 (@princechaddha) [medium]
- [azure-storage-network-unrestricted] Azure Storage Default Network Access Not Restricted (@princechaddha) [medium]
- [azure-storage-overly-permissive-sap] Azure Storage Overly Permissive Stored Access Policies (@princechaddha) [high]
- [azure-storage-private-endpoint-unconfigured] Azure Storage Private Endpoint Not Configured (@princechaddha) [high]
- [azure-storage-public-access] Azure Storage Publicly Accessible Web Containers (@princechaddha) [high]
- [azure-storage-queue-logging-disabled] Azure Storage Queue Logging Not Enabled (@princechaddha) [high]
- [azure-storage-secure-transfer] Azure Storage Secure Transfer Not Enabled (@princechaddha) [medium]
- [azure-storage-static-website-review] Azure Storage Static Website Configuration Review (@princechaddha) [medium]
- [azure-storage-table-logging-disabled] Azure Storage Table Logging Not Enabled (@princechaddha) [medium]
- [azure-storage-trusted-access-disabled] Azure Storage Trusted Microsoft Services Access Disabled (@princechaddha) [medium]
- [azure-budget-alerts-missing] Azure Budget Alerts Not Configured (@princechaddha) [high]
- [azure-policy-not-allowed-types-unassigned] Azure Policy - Not Allowed Resource Types Policy Assignment Not in Use (@princechaddha) [medium]
- [azure-synapse-sqlpool-tde-disabled] Azure Synapse Analytics SQL Pool Transparent Data Encryption Not Enabled (@princechaddha) [high]
- [azure-vm-tags-schema-noncompliant] Azure VM Tags Schema Non-compliant (@princechaddha) [low]
- [azure-app-tier-vm-disk-unencrypted] Azure App-Tier VM Disk Encryption Not Enabled (@princechaddha) [high]
- [azure-disk-encryption-unattached-volumes] Azure Disk Encryption Not Enabled for Unattached Disk Volumes (@princechaddha) [medium]
- [azure-lb-unused] Azure Unused Load Balancer Check (@princechaddha) [low]
- [azure-vm-accelerated-networking-disabled] Azure VM Accelerated Networking Not Enabled (@princechaddha) [medium]
- [azure-vm-accelerated-networking-not-enabled] Azure VM Accelerated Networking Not Enabled (@princechaddha) [medium]
- [azure-vm-boot-diagnostics-not-enabled] Azure VM Boot Diagnostics Not Enabled (@princechaddha) [medium]
- [azure-vm-boot-disk-unencrypted] Azure VM Boot Disk Not Encrypted (@princechaddha) [medium]
- [azure-vm-byok-disk-volumes-not-enabled] Azure VM Disk Volumes BYOK Encryption Not Enabled (@princechaddha) [high]
- [azure-vm-endpoint-protection-missing] Azure VM Endpoint Protection Not Installed (@princechaddha) [high]
- [azure-vm-entra-id-unenabled] Azure VM Microsoft Entra ID Authentication Not Enabled (@princechaddha) [medium]
- [azure-vm-guest-diagnostics-unenabled] Azure VM Guest-Level Diagnostics Not Enabled (@princechaddha) [medium]
- [azure-vm-jit-access-not-enabled] Azure VM Just-In-Time Access Not Enabled (@princechaddha) [high]
- [azure-vm-managed-identity-unassigned] Azure VM Managed Identity Not Assigned (@princechaddha) [medium]
- [azure-vm-performance-diagnostics-unenabled] Azure VM Performance Diagnostics Feature Not Enabled (@princechaddha) [medium]
- [azure-vm-ssh-auth-type] Azure VM SSH Authentication Type Not Using Keys (@princechaddha) [high]
- [azure-vm-standard-ssd-required] Azure VM Premium SSD Not Required (@princechaddha) [high]
- [azure-vm-trusted-launch-disabled] Azure VM Trusted Launch Not Enabled (@princechaddha) [medium]
- [azure-vm-unapproved-image] Azure VM Not Using Approved Image (@princechaddha) [medium]
- [azure-vm-unmanaged-disk-volumes] Azure VM Unmanaged Disk Volumes Detected (@princechaddha) [medium]
- [azure-vm-web-tier-disk-unencrypted] Azure VM Web-Tier Disk Volumes Not Encrypted (@princechaddha) [high]
- [azure-vmss-auto-os-upgrade-missing] Azure VMSS Automatic OS Upgrade Not Enabled (@princechaddha) [medium]
- [azure-vmss-auto-repairs-disabled] Azure VMSS Automatic Instance Repairs Not Enabled (@princechaddha) [medium]
- [azure-vmss-empty-unattached] Azure Virtual Machine Scale Sets Empty and Unattached (@princechaddha) [low]
- [azure-vmss-health-monitoring-missing] Azure VMSS Health Monitoring Not Enabled (@princechaddha) [medium]
- [azure-vmss-load-balancer-unassociated] Azure VMSS Load Balancer Unassociated (@princechaddha) [medium]
- [azure-vmss-public-ip-disabled] Azure VMSS Public IP Not Assigned (@princechaddha) [high]
- [azure-vmss-termination-notif-disabled] Azure VMSS Instance Termination Notifications Disabled (@princechaddha) [medium]
- [azure-vmss-zone-redundancy-missing] Azure VMSS Zone-Redundant Configuration Not Enabled (@princechaddha) [high]
- [retool-dom-xss] Retool <3.82.0 Edge OAuth Authorize - DOM Based XSS (@rootxharsh, @iamnoooob, @pdresearch) [high]
- [apache-hertzbeat-default-login] Apache HertzBeat - Default Credentials (@securitytaters) [high]
- [authentik-panel] Authentik Panel - Detect (@rxerium) [info]
- [ibm-api-connect-panel] IBM API Connect Panel - Detect (@righettod) [info]
- [kemp-loadmaster-panel] Progress Kemp LoadMaster Panel - Detect (@rxerium) [info]
- [apache-jspwiki-ip-userenum] Apache JSPWiki - User IP Enumeration (@icarot) [low]
- [directory-listing-no-host-header] Directory Listing - No Host header (@kazet) [unknown]
- [emlog-installer] Emlog Pro - Installation (@ritikchaddha) [high]
- [strapi-admin-installer] Strapi Admin - Installer (@dhiyaneshdk) [critical]
- [nginx-api-traversal] Nginx Plus Rest API - Traversal (@encodedguy) [high]
- [repetier-unauth] Repetier Server Dashboard - Unauthenticated (@ritikchaddha) [high]
- [apache-jspwiki-detect] Apache JSPWiki - Detect (@icarot) [info]
- [ibm-api-connect-detect] IBM API Connect Developer Portal - Detect (@righettod) [info]
- [wordpress-give] Wordpress GiveWP Detection (@mailler) [info]
- [wordpress-inpost-for-woocommerce] InPost PL for WooCommerce Detection (@mailler) [info]
- [wordpress-woo-inpost] InPost for WooCommerce Detection (@mailler) [info]
- [writebook-detect] Writebook - Detect (@hahwul) [info]
- [finereport-sqli-rce] FineReport SQLi - Remote Code Execution (@adeljck) [critical]
- [imo-file-download] IMO - Arbitrary File Download (@ritikchaddha) [high]
- [imo-rce] IMO - Remote Code Execution (@ritikchaddha) [critical]
- [fastbee-arbitrary-file-read] FastBee - Local File Inclusion (@s4e-io) [high]
- [fumasoft-sqli] Fumasoft Cloud - SQL Injection (@ritikchaddha) [critical]
- [nsfocus-auth-bypass] Nsfocus - Arbitrary User Login (@ritikchaddha) [high]
- [nsfocus-lfi] Nsfocus - Arbitrary File Read (@ritikchaddha) [high]
- [webp-server-lfi] Webp Server Go - Path Traversal (@ritikchaddha) [high]
- [projectsend-auth-bypass] ProjectSend <= r1605 - Improper Authorization (@dhiyaneshdk) [high]
- [yonyou-ufida-cloud-sqli] UFIDA NC Cloud - SQL Injection (@s4e-io) [high]
New Contributors
- @gmeghab made their first contribution in #10718
- @iuliu8899 made their first contribution in #10707
Full Changelog: v9.9.4...v10.0.0