This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources.
This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols.
To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default -multi_tenant_domain option. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform.
