Daniel Thatcher

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering
with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning
and request smuggling.


AWS API Gateway HTTP header smuggling

Liv Matan

Azure API Management is an API gateway service meant to help organizations to create, manage, secure,
and monitor APIs across all of their environments. Researchers found three high severity vulnerabilities
in the service, two of which are SSRF (Server Side Request Forgery) vulnerabilities, and the third is a
path traversal bug. The SSRF issues affected the Azure API Management CORS proxy (which handles schema
retrieval) and hosting proxy (which routes API requests to the correct server). An attacker successful
in exploiting each of these SSRF vulnerabilities could fake requests from these legitimate servers and
thereby gain access to internal Azure services. However, the researchers did not determine the effective
impact of this access level, and it's therefore possible that Azure had security measures in place which
would have blocked further lateral movement. The path-traversal vulnerability allowed for an unrestricted
file upload to the Azure developer portal server. The portal's authenticated mode allows users to upload
static files and images to be displayed within the portal website, but this vulnerability could have allowed
an attacker to upload code instead, and then potentially execute it on the server itself.


API Management SSRF and path traversal vulnerabilities

AppFlow had an undocumented service called sandstoneconfigurationservicelambda. 
An undocumented field (awsOwnedManagedAppCredentialsArn) could be used during
connector registration and connector updates. Specifying a victim's Secret ARN
as that field disclosed the clientId and clientSecret, so long as the victim
Secret ARN belonged to a connection profile which is of the type 
OAuth or contains clientId and clientSecret.


AWS AppFlow secrets disclosure

Azure Active Directory Seamless Single Sign-On feature allowed single-factor brute-force attacks
against Azure AD without generating sign-in events in the targeted organization’s tenant.


Azure AD Seamless SSO logging bypass

Lidor Ben Shitrit

By misusing the Apiary web service and taking advantage of Apiary's use of IMDSv1,
a remote attacker is able to retrieve sensitive information from various endpoints
and use it to gain more access and sensitive data of other hosts in the same environment.


Oracle Apiary SSRF

The AppFlow WooCommerce connector allowed specification of a full URL.
The connector included details of response content when the URL
offered an unexpected response. This means you could make arbitrary
GET requests to any URL from the WooCommerce connector, and view the 
response content. The response in the error was truncated to 500 characters.


AWS AppFlow WooCommerce SSRF

Emilien Socchi

Azure Cognitive Search (ACS) is a full-text search engine service.
A new non-default feature allowed for a network control to bypassed, permitting an attacker to submit search queries to any other tenant's network-isolated ACS instance. However, abusing this required a valid API key 
to access the data plane of the target, along with a number of pieces of information about the target environment (such as the subscription ID and the name of the index to query).


ACSESSED

Nick Frichette

The API action ListObservabilityConfigurationsForAccount did not properly validate the 
"AccountId" parameter that was passed to it. As a result, any account ID could be provided 
and the API would return the information for that account. This would leak minor information
about the observability configuration for App Runner in the account.


App Runner cross-tenant observability config info leak

Saransh Rana

Credentials can be extracted from AppStream. When used, they obscure
the sourceIP and userName of the initial user. The sourceIP appears 
as appstream.amazonaws.com.


AWS AppStream Cloudtrail Bypass

Juho Nurminen

The @actions/core package had a delimiter injection vulnerability in the exportVariable function. Attackers could use a known delimiter to break out of a specific variable and assign values to other arbitrary variables. This may have allowed modification of path or environment variables without the intention of workflow or action authors.


Actions Core Delimiter Injection Vulnerability

The API action ListVpcConnectorsForAccount did not properly validate the "AccountId" parameter
that was passed to it. As a result, any account ID could be provided and the API would return
the information for that account. This would leak minor information about the VPC 
configuration for App Runner in the account including the subnet ID, security group ID, and the
VPC Connector ARN.


App Runner cross-tenant VPC connectors info leak

The AWS AppSync service could be coerced to assume arbitrary roles in
other customers' accounts which trusted the AppSync service. This was
due to insufficient validation of a serviceRoleArn parameter (caused by
a case-sensitivity parsing issue). With this vulnerability, if an adversary
knew the ARN of the role associated with AppSync in the target account,
they could use it invoke arbitrary AWS API calls.


AWS AppSync confused deputy via ServiceRoleArn

Ian Duffy

Full administrative access to the Azure Red Hat Enterprise Linux Appliance REST API was publicly exposed.
It allowed malicious actors uploading packages that would be acquired by client virtual machines on their next yum update. 
The vulnerable infrastructure supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.


Public admin access to Azure's Red Hat Update Infrastructure

Jackson Reid

Asset Key Thief was a Google Cloud 
privilege escalation vulnerability that enabled 
principals with the "Cloud Asset Viewer" role (or other roles 
with the `cloudasset.assets.searchAllResources` permission) on the 
Cloud Asset Inventory API, at the Project, Folder, or Organization level 
to view and exfiltrate any user-managed Service Account 
private key under a project within the same Google Cloud environment that 
had been created or rotated up to a maximum of 12 hours ago. 
Access to Service Account private keys enable the full assumption 
of that Service Account's identity and privileges, which would have given 
attackers with existing access to a Google Cloud environment a persistent and reliable
method of lateral movement and privilege escalation. Google has since fixed this 
vulnerability, but affected customers must rotate their keys manually.


Asset Key Thief

Felix Wilhelm

Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster
through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). Multiple issues
were identified in the authenticator that could have allowed exploitation, namely (1) a
lax regular expression used to verify presigned URLs; (2) HTTP client redirect follow
(due to using Golang HTTP client in its default configuration); (3) use of the Golang URL.Query
function (which silently drops parameters that Go considers invalid, rather than raising
an error and rejecting invalid tokens); and (4) no verification that the cluster uses Go
versions newer than 1.12 (as older versions are vulnerable to request smuggling).


Multiple issues in AWS IAM Authenticator for Kubernetes

s1r1us

AI Hub Jupyter Notebook server lacked a check of the Origin header that
led to a CSRF vulnerability. An attacker could have read sensitive data and execute
arbitrary actions in customer environments.


AI Hub Jupyter Notebook instance CSRF

Daniel Grzelak

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their
AWS role trust policies, leading to confused deputy issues. These misconfigurations could
allow customers to access other customers' data. Although vendors are responsible for
ensuring their own configurations are correct, AWS could theoretically add mitigations
to prevent and detect this issue.


3rd party vendor confused deputy via AssumeRole

Ofek Itach, Yakir Kadkoda

The AWS Cloud Development Kit (CDK) is a way of deploying infrastructure-as-code. The vulnerability involves AWS CDK’s use of a predictable S3 bucket name format
(cdk-{Qualifier}-assets-{Account-ID}-{Region}), where the default “random” qualifier (hnb659fds) is common and easily guessed. If an AWS customer deletes this bucket and reuses CDK, 
an attacker who claims the bucket can inject malicious CloudFormation templates, potentially gaining admin access. Attackers supposedly only need the AWS account ID to prepare the bucket 
in various regions, exploiting the default naming convention. However, it is important to note that the additional conditions greatly lower the likelihood of exploitation. 
The victim must use the CDK, having deleted the bucket, and then subsequently attempt to deploy with the CDK. Making it so that even if there is a vulnerable account, it could be months, 
if ever for the attack to work.


AWS CDK Bucket Squatting Risk

James Kettle (Portswigger), Arkadiy Tetelman (Chime)

ALBs found vulnerable to HTTP request smuggling (desync attack).


ALB HTTP request smuggling

Elad Gabay

Any unattached storage volume, or attached storage volumes allowing multi-attachment,
could have been read from or written to as long as an attacker knew their Oracle Cloud Identifier (OCID),
allowing sensitive data to be exfiltrated or even more impactful attacks to be initiated via
executable file manipulation in the target tenant's environment.


AttachMe

If attacker controlled data is viewed in Cloudshell it could have led to
code execution. This exact same issue existed in Azure previously.


AWS CloudShell terminal escape

Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro

Researchers, while investigating the security posture of Public AMIs, were
able to undelete files from an official image that was published by Amazon AWS.


AWS published official AMIs with recoverable deleted files

Yanir Tsarimi

An exposed endpoint in the Azure Automation Service allowed to steal Azure
API credentials from other customers


AutoWarp

Carlos Polop

An attacker with elevated permissions in CodeBuild could leak 
the configured credentials for Github/Bitbucket. This was possible by 
configuring the http_proxy and https_proxy variables, which would allow 
you to capture the credentials via MITM.


AWS CodeBuild Token Leakage

Amazon Managed Workflows for Apache Airflow (MWAA) and the Task instance details
page in the Google Composer UI were not patched against CVE-2023-29247 (Stored XSS).
This meant that post-authentication, a threat actor could have exploited this
to store their JavaScript payload in the victim's managed Apache Airflow instance
and run JavaScript on behalf of the victim (who could be an admin or another
user with higher permissions than the threat actor, thereby leading to privilege escalation).
With JavaScript, threat actors could have run any operation in the session that the victim
is able to run — edit tasks, read jobs, run jobs, read plugins and configurations, 
list connections, add variables and more.


ApatchMe

AWS identified an issue in the Amazon WorkSpaces Windows client which resulted in unintentionally logging
connection debugging information to a user's local system. This data could include usernames or passwords
if they contain specific characters: \ (backslash) or " (double quotes). If an attacker gained access to
an Amazon WorkSpaces user's machine, they could then compromise such credentials from the log.


Amazon WorkSpaces Windows client credential logging

Will Deane

For AWS CodeBuild, when using a custom container image stored in ECR and the 
project service role for the credentials to pull the image, the default IAM 
policy attached to the role to allow pulling the container was over-privileged 
and allowed the CodeBuild container to overwrite its own build image. 
An attacker with the ability to read the container credentials from the meta-data 
service or run commands within the container could thereby overwrite the container to gain 
persistence within the CodeBuild project.


Overprivileged CodeBuild default ECR IAM policy

Johann Rehberger

An Indirect Prompt Injection attack can cause the LLM to return
markdown tags. This allows an adversary who’s data makes it into
the chat context (e.g via an uploaded file) to achieve data
exfiltration of the victim’s data by rendering hyperlinks.


Amazon Q for Business Data Exfiltration

Spencer Gietzen

The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed
users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creation
process, AWS would create a new CodeStarWorker IAM policy & attach it to the user making the call.
This policy granted full access to over 50 AWS services, including iam:AttachRolePolicy, iam:AttachUserPolicy and iam:PutRolePolicy permissions,
which would allow the user to escalate to full administrator access. Following disclosure, AWS removed
the majority of access granted by the CodeStarWorker policy, but this is still a viable escalation path if
there are other misconfigurations in the environment.


IAM privilege escalation via undocumented CodeStar API

The AWS Amplify service was found to be misconfiguring IAM roles associated 
with Amplify projects. This misconfiguration caused these roles to be assumable 
by any other AWS account. Both the Amplify Studio and the Amplify CLI 
exhibited this behavior. Any Amplify project created using the Amplify CLI
built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by
anyone in the world. The same was true if the authentication component was removed
from an Amplify project using the Amplify CLI or Amplify Studio built between
August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to
STS and IAM, and also released a patch for the Amplify CLI to ensure that newly
created roles are properly configured in accordance with these changes.


AWS Amplify IAM role publicly assumable exposure

Christophe Tafani-Dereeper

AWS applies a rate limit to authentication requests made to the AWS Console
in an effort to prevent brute-force and credential stuffing attacks. However,
a weakness was discovered in the AWS Console authentication flow that allowed
a partial bypass of this rate limit by pausing for 5 seconds every 30 attempts.
This would enable an attacker to continuously attempt more than 280 passwords
per minute (4.6 per second) against IAM users, which could have resulted in
account compromise of users without MFA enabled.


AWS Console rate limit bypass

AWS Control Tower was not properly logging to CloudTrail when API calls
failed due to a lack of permissions. This could have helped an adversary
with existing access to a victim AWS environment avoid detection while
enumerating privileges, since any unsuccessful API calls would not
generate "access denied" log entries.


Partial CloudTrail logging in AWS Control Tower

An AWS employee pushed sensitive data to a public github bucket, including customer information and credentials.
Note: This issue is outside the scope of this database's usual criteria for inclusion,
but has been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.


AWS uploaded sensitive data to public GitHub bucket

Ben Bridts

AWS Directory Service didn't check the iam:PassRole permissions when using the
EnableRoleAccess action. This could have been used for privilege escalation by an
authenticated user with sufficient permissions (ds:EnableRoleAccess), if the
role had a trust policy that allowed use by Directory Service.


AWS Directory Service not checking iam:PassRole on EnableRoleAccess

Scott Piper

Even for the AWS-managed ElasticSearch clusters that had not been made public,
their index names could be learned.


AWS ElasticSearch Index Name Leakage

Information about this issue is under NDA, but AWS customers can read about it on pages 120-121 of the report,
which is available for download through AWS Artifact.
Note: This issue is outside the scope of this database's usual criteria for inclusion, but has
been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.


AWS SOC 2 type 2 failure (Fall 2020)

Information about this issue is under NDA, but AWS customers can read about it on page 98 of the report,
which is available for download through AWS Artifact.
Note: This issue is outside the scope of this database's usual criteria for inclusion, but has
been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.


AWS SOC 2 type 2 failure (Fall 2021)

Michael Werner

A principal with the permissions glue:GetConnection and ec2:DescribeSubnets
can retrieve the database password of a connection, since the password is loaded into
the AWS console website when a connection's edit page is requested. The severity of
this issue is low since it requires sufficient prior access.


AWS Glue database password leakage

Aidan Steele

AWS IAM Identity Center exchanges third-party OIDC tokens for
Identity Center-issued tokens. Identity Center relies on the jti
claim in the third-party tokens to prevent replay attacks. 
Identity Center maintained a cache of previously-seen jti values
for a fixed period (24 hours) and didn’t enforce that the third-party
tokens had expiry claims. This meant that a token with a jti claim and
without an exp claim could be replayed after >24 hours had passed. 


AWS IAM Identity Center Expiry

Tag variable names affected whether trust policy conditions were evaluated correctly.
If the request tag referenced a principal tag called MemberRole in the JWT token, and 
the IAM role referenced a resource tag with the same variable name, the condition was
always evaluated as true, regardless of whether the tag's values actually matched. Only
role trust policies that used a variable substitution for both the request tag and the
resource tag in the policy statement resulted in the policy evaluating incorrectly. The 
issue impacted statements within IAM boundary policies and SCP policies that contained 
the same pattern of STS role assumption with tag-based conditions.


AWS IAM Trust Policy Condition Evaluation Bug

Through an undocumented API service called 'iamadmin', attackers could invoke any of 13 read-only IAM actions without the activity being being logged to CloudTrail.
These actions included listing group policies (iam:ListGroupPolicies), listing access keys (iam:ListAccessKeys), retrieving information about a role (iam:GetRole), and more.
This could have enabled adversaries to perform enumeration and reconnaissance activity undetected after gaining a foothold in a victim AWS environment.


AWS CloudTrail bypass for specific IAM actions

AWS offers a metadata service accessible to most EC2 Instances via a simple GET request to 169.254.169.254.
If an instance has an SSRF vulnerability, attackers can access the metadata service & exfiltrate the credentials 
of an attached IAM role to gain privileged access to the relevant AWS environment.


AWS IAM role credential exfiltration via EC2 Instance Metadata Service (IMDSv1)

Alex Brasetvik

The AWS Java SDK was vulnerable to XML external entity (XXE) injection related to XML parsers.


AWS Java SDK XXE injection

Two malicious versions were created of packages previously used by AWS.
The packages were officially authored and maintained by AWS before they
were removed by their legitimate author, and once the packages were
removed, their names became available and the two packages were then
populated with malicious code. If AWS-deployed software had any dependencies
on these packages, this would have led to a dependency confusion attack.


AWS package backfill attack

Gafnit Amiga

A vulnerability was discovered in the Aurora PostgreSQL log_fdw extension
for Amazon Relational Database Service (RDS), allowing an attacker to read
files on the EC2 host and obtain credentials for an internal AWS service.


The Open Cloud Vulnerability
& Security Issue Database

Tags:

Recently published

CodeQLEAKED - CodeQL Supply Chain Attack via Exposed Secret

John Stawinski, Praetorian

Vault Recon (Azure KeyVault Secrets Metadata Control Plane Exfiltration)

Graham Gold

Silent Reaper (Azure LogicApp Secrets Control Plane Exfiltration)

Graham Gold

Dirty DAG - Azure Apache Airflow Integration Vulnerabilities

Ofir Balassiano, David Orlo...

ModeLeak: LLM Model Exfiltration Vulnerability in Vertex AI

Ofir Balassiano, Ofir Shaty...

Repo swatting attack deletes/blocks GitHub and GitLab accounts

Paul McCarty, SourceCodeRed

The Open Cloud Vulnerability & Security Issue Database

Tags:

Recently published

CodeQLEAKED - CodeQL Supply Chain Attack via Exposed Secret

John Stawinski, Praetorian

Vault Recon (Azure KeyVault Secrets Metadata Control Plane Exfiltration)

Graham Gold

Silent Reaper (Azure LogicApp Secrets Control Plane Exfiltration)

Graham Gold

Dirty DAG - Azure Apache Airflow Integration Vulnerabilities

Ofir Balassiano, David Orlo...

ModeLeak: LLM Model Exfiltration Vulnerability in Vertex AI

Ofir Balassiano, Ofir Shaty...

Repo swatting attack deletes/blocks GitHub and GitLab accounts

Paul McCarty, SourceCodeRed

The Open Cloud Vulnerability
& Security Issue Database