Lateral movement

Data factory global parameters expose secrets

Risk Level

Hazardous (3)

Compliance Frameworks


Azure Data Factory is Azure's cloud ETL service for scale-out serverless data integration and data transformation. Global parameters are constants across a data factory that can be consumed by a pipeline in any expression. We have found that the data factory exposes sensitive data in the environment variables of the function. If an attacker can list this data factory (i.e. read its metadata), they may be able to use this information for lateral movement.
  • Recommended Mitigation

    Review your functions and make sure they do not contain secrets. We recommend to store secrets in dedicated services like KeyVault.