summitroute / csp_security_mistakes Goto Github PK
View Code? Open in Web Editor NEWThis repo has been replaced by https://www.cloudvulndb.org
Home Page: https://www.cloudvulndb.org/
This repo has been replaced by https://www.cloudvulndb.org
Home Page: https://www.cloudvulndb.org/
Add Brandon Sherman's AmazonSageMakerFullAccess issue: https://summitroute.com/blog/2019/06/18/aws_iam_managed_policy_review/
Add https://duo.com/blog/potential-gaps-in-suggested-amazon-web-services-security-policies-for-mfa
There are a lot of these and I'm not sure if I should list every minor one.
This repo is a good start at collecting this data, but ultimately it needs to be presented via a webapp that can provide filtering and sorting. Some people are primarily interested in specific CSPs (ex. #23), most recent issues (#6), most severe issues, and more. I think backing this data in github is beneficial for transparency, submitting PRs and issues, etc. but the presentation of this data needs to be improved.
Should you have a Discover Date and a Fix Date field? Or maybe i should be asking - what happens to these issues once they are addressed? Do they go off this page? If not, i suggest a fix date be added.
It seems like it might be more useful to have the items in reverse chronological order, with newest first.
We need a better way to reference these than by the titles I gave them.
https://cloudsecurityforum.slack.com/archives/C6DN616HG/p1653611790045629
I found a security vulnerability in MWAA (Amazon Managed Workflows for Apache Airflow) that has been fixed so now I can talk about it. Specifically there are two API calls that the service uses to convert IAM credentials into tokens that can be used to login to airflow. The CreateCliToken and CreateWebLoginToken were logging the tokens to CloudTrail. The event used included the hostname for the airflow server, so everything required to login to the server was in the event.
Reported May 11th, fixed May 22.
tokens are only valid for 60 seconds and CloudTrail log delivery is not fast enough that they are valid by the time an AWS customer can see them.
Hello,
https://twitter.com/nJoyneer/status/1526593840928411650?t=uLgCnUvoD2dwVyajbR3U0Q&s=19
I'm surprised by the late disclosure after AWS fix.
Security September (which includes two issues already in the repo) had five entries, one of which was unexploitable.
CAP_NET_RAW
issues as wellwe were also able to undeleted 8,996 files from an official image that was published by Amazon AWS itself.
Would it make sense to split the main file into per-provider files? It's long enough now that if nothing else a hyperlinked table of contents would be a massive help...
Recommending for inclusion as AWS chose to patch. Would not generally consider WAF bypasses notable
Wanted to check if this makes sense to open a PR for. The issue was AWS originally allowed the 169.254.169.254 to be routed to other EC2 instances, allowing them to effectively act as the IMDS server for the VPC.
This allowed lateral movement across instances due to the fact during boot cloud-init will run user data as root from this IP without verifying whether the server is trusted or not.
Reference: https://github.com/RyanJarv/EC2FakeImds
From my understanding this is not possible anymore for any account that hasn’t used this feature in the past. I don’t believe AWS made any public comment on this however.
The Register reports:
A spokesperson for Amazon has told us the code repository was used by the engineer in a personal capacity, and claimed no customer data or company systems were exposed.
https://www.theregister.com/2020/01/23/aws_engineer_credentials_github/
Christophe Parisel on LinkedIn created a Piercing Index to define how to calculate the severity: https://www.linkedin.com/feed/update/urn:li:activity:6896378758501154816/
https://twitter.com/_fel1x/status/1391712232380194818
Note the same issue impacted Azure.
Would be nice to known if the issue was resolved or not
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.