Obmi

GCP Cloudshell has been affected by various XSS and CSRF vulnerabilities stemming from different root causes
related to authentication handling, markdown editing, file uploading and more. Explotiation of these vulnerabilities
normally requires user interaction through social engineering (convincing a potential victim to click a malicious link).


GCP Cloudshell XSS and CSRF bugs

Bugra Eskici

A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access.
By manipulating the "project" parameter, an attacker could have cause an unencoded Python script execution flaw.
Exploiting this flaw, they could inject a command to display the contents of the "/etc/passwd" file, 
successfully execute arbitrary commands and obtain remote shell access. However, the impact of this is unclear,
as an attacker would seemingly only be able to gain such a remote shell on their own instance.


Google Cloud Shell command injection

Will Deane

For AWS CodeBuild, when using a custom container image stored in ECR and the 
project service role for the credentials to pull the image, the default IAM 
policy attached to the role to allow pulling the container was over-privileged 
and allowed the CodeBuild container to overwrite its own build image. 
An attacker with the ability to read the container credentials from the meta-data 
service or run commands within the container could thereby overwrite the container to gain 
persistence within the CodeBuild project.


Overprivileged CodeBuild default ECR IAM policy

Azure Active Directory Seamless Single Sign-On feature allowed single-factor brute-force attacks
against Azure AD without generating sign-in events in the targeted organization’s tenant.


Azure AD Seamless SSO logging bypass

Sivanesh Ashok, Sreeram KL

Several vulnerabilities were present in how Google Cloud Shell (ssh.cloud.google.com) handled OAuth credentials. These included an open-redirect vulnerability, where attackers could redirect users to malicious sites to capture their credentials, 
and a validation bypass that allowed tokens to be submitted to user-defined URIs, circumventing normal security checks. Additionally, Google Cloud Workstations did not correctly tie the state parameter to the session that generated it, 
which allowed valid state parameters to be reused across different sessions and users. Combined, these issues created a scenario where credentials to Google Cloud Workstations were susceptible to phishing attacks.


Bypassing authorization in Google Cloud Workstations

Google Cloudshell leveraged websockets without validating that the origin matched the current instance host.
An attacker could therefore host a CSWSH attack on a Cloudshell instance they own, disabling authentication via 
access to the underlying VM. They could then start the OAuth process with a spoofed host header, using
phishing to get the target Cloud Shell user into following a redirection link, completing the OAuth process
and ending in successful CSWSH, which would allow the attacker to hijack the target user's requests.


GCP Cloudshell Cross-Site WebSocket Hijacking (CSWSH)

Spencer Gietzen

The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed
users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creation
process, AWS would create a new CodeStarWorker IAM policy & attach it to the user making the call.
This policy granted full access to over 50 AWS services, including iam:AttachRolePolicy, iam:AttachUserPolicy and iam:PutRolePolicy permissions,
which would allow the user to escalate to full administrator access. Following disclosure, AWS removed
the majority of access granted by the CodeStarWorker policy, but this is still a viable escalation path if
there are other misconfigurations in the environment.


IAM privilege escalation via undocumented CodeStar API

Emilien Socchi

Azure Cognitive Search (ACS) is a full-text search engine service.
A new non-default feature allowed for a network control to bypassed, permitting an attacker to submit search queries to any other tenant's network-isolated ACS instance. However, abusing this required a valid API key 
to access the data plane of the target, along with a number of pieces of information about the target environment (such as the subscription ID and the name of the index to query).


ACSESSED

Wouter ter Maat

Wouter ter Maat discovered 9 vulnerabilities in GCP Cloudshell that could
allow an attacker to access resources in another customer's environment. 


GCP Cloudshell Vulnerabilities

Ademar Nowasky Junior

A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access.
The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters,
which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos,
"go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and
an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is
possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear,
as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing
could be used to try and coerce a user into running a command that exposed their credentials to the attacker.
Google mitigated this issue by preventing users from being able to provide both parameters at once.


Tobias Ospelt

A vulnerability in AWS Cognito's password reset function allowed attackers to brute-force the six-digit reset code, potentially leading to account takeovers. Using concurrent HTTP requests, an attacker could make up to 1587 guesses instead of the documented limit of 20. The issue affected accounts without multi-factor authentication and was fixed by AWS on April 20, 2021.


Password Reset Code Brute-Force Vulnerability in AWS Cognito

Juho Nurminen

The @actions/core package had a delimiter injection vulnerability in the exportVariable function. Attackers could use a known delimiter to break out of a specific variable and assign values to other arbitrary variables. This may have allowed modification of path or environment variables without the intention of workflow or action authors.


Actions Core Delimiter Injection Vulnerability

Liv Matan

Tenable discovered a privilege escalation vulnerability in Google Cloud Platform's Cloud Composer service, dubbed ConfusedComposer. It allowed users with composer.environments.update permission to escalate privileges to the default Cloud Build service account by injecting malicious PyPI packages. This could grant broad permissions across the victim's GCP project.


Google Cloud ConfusedComposer Privilege Escalation Vulnerability

Christophe Tafani-Dereeper

AWS applies a rate limit to authentication requests made to the AWS Console
in an effort to prevent brute-force and credential stuffing attacks. However,
a weakness was discovered in the AWS Console authentication flow that allowed
a partial bypass of this rate limit by pausing for 5 seconds every 30 attempts.
This would enable an attacker to continuously attempt more than 280 passwords
per minute (4.6 per second) against IAM users, which could have resulted in
account compromise of users without MFA enabled.


AWS Console rate limit bypass

Ian Duffy

Full administrative access to the Azure Red Hat Enterprise Linux Appliance REST API was publicly exposed.
It allowed malicious actors uploading packages that would be acquired by client virtual machines on their next yum update. 
The vulnerable infrastructure supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.


Public admin access to Azure's Red Hat Update Infrastructure

Louis Duruflé-Seta

When the compute API is enabled on a GCP Project, the default compute account
is created. This account gets the primitive role Editor assigned by default, which
allows for a wide variety of privilege excalation and resource abuse in the project.
Especially, all new VMs created inherit this permissions by default. This issue
is arguably a technical decision by GCP, but the documents advise customers to
undo this.


GCP Default compute account is project Editor

Nick Frichette

AWS Control Tower was not properly logging to CloudTrail when API calls
failed due to a lack of permissions. This could have helped an adversary
with existing access to a victim AWS environment avoid detection while
enumerating privileges, since any unsuccessful API calls would not
generate "access denied" log entries.


Partial CloudTrail logging in AWS Control Tower

s1r1us

AI Hub Jupyter Notebook server lacked a check of the Origin header that
led to a CSRF vulnerability. An attacker could have read sensitive data and execute
arbitrary actions in customer environments.


AI Hub Jupyter Notebook instance CSRF

Kat Traxler

The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented.
The Document AI service agent is auto-assigned with excessive permissions, allowing it to access all objects from Cloud Storage buckets in the same project.
Malicious actors can exploit this to exfiltrate data from Cloud Storage by indirectly leveraging the service agent's permissions.
This vulnerability is an instance of transitive access abuse, a class of security flaw where unauthorized access is gained indirectly
through a trusted intermediary.


Document AI data exfiltration

An AWS employee pushed sensitive data to a public github bucket, including customer information and credentials.
Note: This issue is outside the scope of this database's usual criteria for inclusion,
but has been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.


AWS uploaded sensitive data to public GitHub bucket

James Kettle (Portswigger), Arkadiy Tetelman (Chime)

ALBs found vulnerable to HTTP request smuggling (desync attack).


ALB HTTP request smuggling

Roi Nisimi

The system:authenticated group in Kubernetes is a special group that includes all authenticated entities,
including human users and service accounts. Anyone who successfully authenticates to the Kubernetes API server,
regardless of the authentication method used, will be automatically included in this unique group. Thus, it will
share the same roles and permissions of the group. This misunderstanding then creates a significant security
loophole when administrators unknowingly bind this group with overly permissive roles.


Google Cloud GKE Unsecure Sys:All Binding

AWS identified two vulnerabilities in specific versions of native clients for Amazon WorkSpaces, Amazon AppStream 2.0, and Amazon DCV. These issues could allow man-in-the-middle attacks, potentially giving attackers access to remote sessions. Affected versions include WorkSpaces clients 5.20.0 or earlier, AppStream 2.0 Windows client 1.1.1326 or earlier, and various DCV clients. AWS recommends upgrading to patched versions to address these security concerns.


Issue with Amazon WorkSpaces and AppStream 2.0 Clients

Yakir Kadkoda, Ofek Itach

Research uncovered security flaws in default AWS service roles, granting overly broad permissions like full S3 access. This allows privilege escalation, cross-service access, and potential account compromise across services like SageMaker, Glue, and EMR. Attackers could exploit these roles to manipulate critical assets and move laterally within AWS environments. AWS has since updated default policies and documentation to mitigate risks.


AWS Default Roles Can Lead to Service Takeover

Cloud Audit Logs do not capture actions mediated through the cloud console private API 
service (cloudconsole-pa). Consequently, there is no logging of HMAC key creation or deletion 
linked to user accounts. This absence of logs hampers defenders' ability to alert or monitor 
the creation of HMAC keys for user accounts, posing a persistence risk, or their deletion, 
presenting a denial of service risk.


GCP HMAC Keys do not log creation, deletion or usage

Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro

Researchers, while investigating the security posture of Public AMIs, were
able to undelete files from an official image that was published by Amazon AWS.


AWS published official AMIs with recoverable deleted files

CVE-2024-37293 affects the AWS Deployment Framework's bootstrap process, potentially allowing privilege escalation if an actor has permissions to change CodeBuild projects or Lambda functions. The issue is fixed in version 4.0 and above. AWS recommends immediate upgrade and temporary mitigation by adding a permissions boundary to roles created by ADF in the management account.


Issue with AWS Deployment Framework

GCP administrators face challenges in managing HMAC keys within their organizations, 
lacking visibility into which user accounts have generated these keys and whether they are 
actively being used to access storage objects. Additionally, there's a lack of functionality 
to revoke keys associated with other users, restricting their ability to enforce security 
policies effectively. Similarly, GCP incident response teams rely on Cloud Logging to monitor
Cloud Storage object access, but they lack specific indicators to determine if HMAC keys are
being utilized in these access attempts.


GCP HMAC Keys are not discoverable or revokable other than for self

Amazon Managed Workflows for Apache Airflow (MWAA) and the Task instance details
page in the Google Composer UI were not patched against CVE-2023-29247 (Stored XSS).
This meant that post-authentication, a threat actor could have exploited this
to store their JavaScript payload in the victim's managed Apache Airflow instance
and run JavaScript on behalf of the victim (who could be an admin or another
user with higher permissions than the threat actor, thereby leading to privilege escalation).
With JavaScript, threat actors could have run any operation in the session that the victim
is able to run — edit tasks, read jobs, run jobs, read plugins and configurations, 
list connections, add variables and more.


ApatchMe

Jamie Finnigan

A BGP-based feature of the AWS Direct Connect service allowed a third party to inject an incorrect route for an external IP, effectively hijacking AWS-sourced traffic. This resulted in connectivity issues between AWS EC2 instances and external systems. The issue was caused by a typo in a Direct Connect customer's configuration, which advertised an incorrect prefix to AWS.


AWS Direct Connect route injection issue

Allison Donovan, Dylan Ayrey

Composer, Dataflow, Dataproc, Dataprep and Data Fusion all used the Compute Engine
default service account by default and relied on product-level IAM permissions
without requiring the iam.serviceAccount.actAs permission, meaning that users of
these services could elevate their privileges. Following disclosure, GCP changed
these services to require this permission.


IAM privilege escalation in multiple GCP services

Azure API Management is an API gateway service meant to help organizations to create, manage, secure,
and monitor APIs across all of their environments. Researchers found three high severity vulnerabilities
in the service, two of which are SSRF (Server Side Request Forgery) vulnerabilities, and the third is a
path traversal bug. The SSRF issues affected the Azure API Management CORS proxy (which handles schema
retrieval) and hosting proxy (which routes API requests to the correct server). An attacker successful
in exploiting each of these SSRF vulnerabilities could fake requests from these legitimate servers and
thereby gain access to internal Azure services. However, the researchers did not determine the effective
impact of this access level, and it's therefore possible that Azure had security measures in place which
would have blocked further lateral movement. The path-traversal vulnerability allowed for an unrestricted
file upload to the Azure developer portal server. The portal's authenticated mode allows users to upload
static files and images to be displayed within the portal website, but this vulnerability could have allowed
an attacker to upload code instead, and then potentially execute it on the server itself.


API Management SSRF and path traversal vulnerabilities

Ben Bridts

AWS Directory Service didn't check the iam:PassRole permissions when using the
EnableRoleAccess action. This could have been used for privilege escalation by an
authenticated user with sufficient permissions (ds:EnableRoleAccess), if the
role had a trust policy that allowed use by Directory Service.


AWS Directory Service not checking PassRole on EnableRoleAccess

Unknown

Convincing a victim to click a specially crafted link would allow the attacker
to bypass the Identity-Aware Proxy (a core component of BeyondCorp).


GCP IAP bypass

Lidor Ben Shitrit

By misusing the Apiary web service and taking advantage of Apiary's use of IMDSv1,
a remote attacker is able to retrieve sensitive information from various endpoints
and use it to gain more access and sensitive data of other hosts in the same environment.


Oracle Apiary SSRF

Shubham Agrawal

A privilege escalation vulnerability in Amazon EC2 Autoscaling was identified. The CreateLaunchConfiguration action lacked PassRole validation, allowing users to launch EC2 instances with unauthorized roles. AWS fixed the issue for both CreateLaunchConfiguration and CreateAutoScalingGroup actions, implementing proper PassRole validation when using the instance-id option.


AWS EC2 Autoscaling Privilege Escalation Vulnerability

Allows an attacker with privileges in the account to share resources outside
of the account even when an org policy restricts this, thus enabling them to backdoor
their access.


Org policies bypass

The API action ListObservabilityConfigurationsForAccount did not properly validate the 
"AccountId" parameter that was passed to it. As a result, any account ID could be provided 
and the API would return the information for that account. This would leak minor information
about the observability configuration for App Runner in the account.


App Runner cross-tenant observability config info leak

A vulnerability in the Amazon ECS agent could allow an introspection server to be accessed off-host.
This information disclosure issue, if exploited, could allow another instance in the same security
group to access the server's data. The vulnerability does not affect instances where off-host access
is set to 'false'. The issue has been patched in version 1.97.1 of the ECS agent.


AWS ECS Agent Information Disclosure Vulnerability

Jonathan Rault

Upon blocking a request, GCP Org policy constraints were logging the deny
logs in Principal''s project and the blocking project. An attacker could use those
logs to exfiltrate any data, by making request from a Principal they own from
a defender project.


Exfiltrate data via the logs of GCP Org policy

The API action ListVpcConnectorsForAccount did not properly validate the "AccountId" parameter
that was passed to it. As a result, any account ID could be provided and the API would return
the information for that account. This would leak minor information about the VPC 
configuration for App Runner in the account including the subnet ID, security group ID, and the
VPC Connector ARN.


App Runner cross-tenant VPC connectors info leak

Scott Piper

Even for the AWS-managed ElasticSearch clusters that had not been made public,
their index names could be learned.


AWS ElasticSearch Index Name Leakage

Ezequiel Pereira

A GCP Organizations name could be changed through the (deprecated) organizations.update 
method in the Resource Manager, even though the documentation said the "displayName" was read-only.
With this, I could have my own organization and name it as another one and confuse users:
- Rename an organization "<IMPORTANT-COMPANY>.com"
- Share it with "domain:<IMPORTANT-COMPANY>.com" (Effectively sharing it with every 
Google user with a @<IMPORTANT-COMPANY>.com account)
- Profit from unsuspecting users creating resources in my organization, specially billing 
accounts or building projects that manage sensible information.


Impersonate GCP Organization Through the Organizations Update Method

Jackson Reid

Asset Key Thief was a Google Cloud 
privilege escalation vulnerability that enabled 
principals with the "Cloud Asset Viewer" role (or other roles 
with the `cloudasset.assets.searchAllResources` permission) on the 
Cloud Asset Inventory API, at the Project, Folder, or Organization level 
to view and exfiltrate any user-managed Service Account 
private key under a project within the same Google Cloud environment that 
had been created or rotated up to a maximum of 12 hours ago. 
Access to Service Account private keys enable the full assumption 
of that Service Account's identity and privileges, which would have given 
attackers with existing access to a Google Cloud environment a persistent and reliable
method of lateral movement and privilege escalation. Google has since fixed this 
vulnerability, but affected customers must rotate their keys manually.


Asset Key Thief

Information about this issue is under NDA, but AWS customers can read about it on pages 120-121 of the report,
which is available for download through AWS Artifact.
Note: This issue is outside the scope of this database's usual criteria for inclusion, but has
been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.


AWS SOC 2 type 2 failure (Fall 2020)

Chris Moberly

GCP provides an OS Login service for managing SSH access to compute instances using IAM roles.
An attacker could abuse this feature via LXD, Docker (if available on the target system) and
DHCP poisoning of the metadata server to escalate their privileges on a Google Compute Engine VM.


Privilege escalation in GCP OS Login

Daniel Grzelak

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their
AWS role trust policies, leading to confused deputy issues. These misconfigurations could
allow customers to access other customers' data. Although vendors are responsible for
ensuring their own configurations are correct, AWS could theoretically add mitigations
to prevent and detect this issue.


3rd party vendor confused deputy via AssumeRole

Information about this issue is under NDA, but AWS customers can read about it on page 98 of the report,
which is available for download through AWS Artifact.
Note: This issue is outside the scope of this database's usual criteria for inclusion, but has
been kept for historic reasons, as it was included in the original CSP Security Mistakes dataset.


AWS SOC 2 type 2 failure (Fall 2021)

It was possible to list IAM service accounts of any GCP project, given only its ID, by forging a pageToken for the projects.serviceAccounts.list 
method of the IAM API. Due to the design of certain services in GCP, this issue could lead to exposure of sensitive information related to a project,
and could be further used to enumerate unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.


GCP service accounts and projects information leak

Elad Gabay

Any unattached storage volume, or attached storage volumes allowing multi-attachment,
could have been read from or written to as long as an attacker knew their Oracle Cloud Identifier (OCID),
allowing sensitive data to be exfiltrated or even more impactful attacks to be initiated via
executable file manipulation in the target tenant's environment.


AttachMe

Michael Werner

A principal with the permissions glue:GetConnection and ec2:DescribeSubnets
can retrieve the database password of a connection, since the password is loaded into
the AWS console website when a connection's edit page is requested. The severity of
this issue is low since it requires sufficient prior access.


AWS Glue database password leakage

Dan Maas

GCP's Speech-to-Text "operations/list" and "operations/get" APIs would return data that did 
not belong to the caller when no parameters were provided. It is unclear whether this was 
cross-customer data disclosure, or potentially test or internal data.


GCP Speech to Text Information Disclosure

Yanir Tsarimi

An exposed endpoint in the Azure Automation Service allowed to steal Azure
API credentials from other customers


AutoWarp

Aidan Steele

AWS IAM Identity Center exchanges third-party OIDC tokens for
Identity Center-issued tokens. Identity Center relies on the jti
claim in the third-party tokens to prevent replay attacks. 
Identity Center maintained a cache of previously-seen jti values
for a fixed period (24 hours) and didn’t enforce that the third-party
tokens had expiry claims. This meant that a token with a jti claim and
without an exp claim could be replayed after >24 hours had passed. 


AWS IAM Identity Center Expiry

Ron Chan

An SSRF bug in GCP's Stackdriver Debugger feature's code import could have been used to leak the authentication
token of the user to an attacker-controlled server. Exploitation would require that the user had previously
configured a specific code hosting service (such as GitHub), and could be tricked into clicking a malicious link.


GCP Stackdriver Debugger SSRF

AWS identified an issue in the Amazon WorkSpaces Windows client which resulted in unintentionally logging
connection debugging information to a user's local system. This data could include usernames or passwords
if they contain specific characters: \ (backslash) or " (double quotes). If an attacker gained access to
an Amazon WorkSpaces user's machine, they could then compromise such credentials from the log.


Amazon WorkSpaces Windows client credential logging

A vulnerability in AWS IAM Sign-in login flow could allow attackers to enumerate IAM usernames by measuring server response times. This issue affected AWS Sign-in IAM User login flow prior to January 16, 2025. AWS has since introduced a delay in response times across all authentication failure scenarios to mitigate the vulnerability.


AWS Sign-in IAM User Login Flow Username Enumeration

Johann Rehberger

In Vertex AI Studio, a Prompt Injection attack could cause the LLM to return
markdown tags. This could have allowed an adversary whose data makes it into
the chat context (e.g., via an uploaded file) to achieve
exfiltration of the victim’s data by rendering hyperlinks. However, the severity of this issue is low,
as there were no integrations that could pull remote content. This means
Indirect Prompt Injection was not possible, and it would require the victim to copy
the malicious prompt from elsewhere. A similar issue affected Azure AI.


Vertex AI Studio data exfiltration

An Indirect Prompt Injection attack can cause the LLM to return
markdown tags. This allows an adversary who’s data makes it into
the chat context (e.g via an uploaded file) to achieve data
exfiltration of the victim’s data by rendering hyperlinks.


Amazon Q for Business Data Exfiltration

Tag variable names affected whether trust policy conditions were evaluated correctly.
If the request tag referenced a principal tag called MemberRole in the JWT token, and 
the IAM role referenced a resource tag with the same variable name, the condition was
always evaluated as true, regardless of whether the tag's values actually matched. Only
role trust policies that used a variable substitution for both the request tag and the
resource tag in the policy statement resulted in the policy evaluating incorrectly. The 
issue impacted statements within IAM boundary policies and SCP policies that contained 
the same pattern of STS role assumption with tag-based conditions.


AWS IAM Trust Policy Condition Evaluation Bug

This vulnerability chain exploits a Cross-Site Scripting (XSS) flaw (CVE-2021-41038) within the Theia IDE used in Google Vertex AI Workbench.
An attacker could inject malicious JavaScript code into the Theia IDE. This code could then be used to steal the OAuth token associated with the project's default Compute Engine service account,
because when a user-managed Vertex AI Workbench instance is created, it utilizes the project's default Compute Engine service account. At the time, this default service account had the Editor Role assigned by default.


XSS in Google Cloud Theia notebooks

The AWS Amplify service was found to be misconfiguring IAM roles associated 
with Amplify projects. This misconfiguration caused these roles to be assumable 
by any other AWS account. Both the Amplify Studio and the Amplify CLI 
exhibited this behavior. Any Amplify project created using the Amplify CLI
built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by
anyone in the world. The same was true if the authentication component was removed
from an Amplify project using the Amplify CLI or Amplify Studio built between
August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to
STS and IAM, and also released a patch for the Amplify CLI to ensure that newly
created roles are properly configured in accordance with these changes.


AWS Amplify IAM role publicly assumable exposure

Through an undocumented API service called 'iamadmin', attackers could invoke any of 13 read-only IAM actions without the activity being being logged to CloudTrail.
These actions included listing group policies (iam:ListGroupPolicies), listing access keys (iam:ListAccessKeys), retrieving information about a role (iam:GetRole), and more.
This could have enabled adversaries to perform enumeration and reconnaissance activity undetected after gaining a foothold in a victim AWS environment.


AWS CloudTrail bypass for specific IAM actions

Ofir Balassiano, Ofir Shaty

A vulnerability in GCP's Vertex AI service allows privilege escalation and unauthorized access to sensitive LLM models. Attackers can exfiltrate these models by exploiting misconfigurations in access controls and service bindings.
By exploiting custom job permissions, researchers were able to escalate their privileges and gain unauthorized access to all data services in the project.
In addition, deploying a poisoned model in Vertex AI led to the exfiltration of all other fine-tuned models, posing a proprietary and sensitive data exfiltration attack risk.


ModeLeak: LLM Model Exfiltration Vulnerability in Vertex AI

Researchers at Omegapoint identified two issues in AWS API Gateway authorizers: 1) A header rewrite feature could be abused to bypass authorization by overwriting headers after the authorizer lambda processed them. 2) Caching of authorization policies could be exploited to reuse cached policies with modified identification sources, bypassing the authorizer.


AWS API Gateway Header Smuggling and Cache Confusion

AWS offers a metadata service accessible to most EC2 Instances via a simple GET request to 169.254.169.254.
If an instance has an SSRF vulnerability, attackers can access the metadata service & exfiltrate the credentials 
of an attached IAM role to gain privileged access to the relevant AWS environment.


AWS IAM role credential exfiltration via EC2 Instance Metadata Service (IMDSv1)

A bucket traversal vulnerability was discovered in the google.cloud.storage.transfer_manager.upload_chunks_concurrently() function of Google Cloud Storage. This issue could potentially allow unauthorized access to files in different buckets or directories within the same project.


Bucket Traversal in Google Cloud Storage Transfer Manager

Daniel Thatcher

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering
with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning
and request smuggling.


AWS API Gateway HTTP header smuggling

Alex Brasetvik

The AWS Java SDK was vulnerable to XML external entity (XXE) injection related to XML parsers.


AWS Java SDK XXE injection

Google users can find and install third-party OAuth applications from Google Marketplace that are integrated with Google Workspace.
Each OAuth application client in Google is associated with a GCP project. A bug in the way a GCP project enters a "pending deletion"
state when deleted, could have allowed threat actors to make a malicious application invisible and unremovable from the user's account.
If an attacker had managed to install an application in an account (e.g., through a phishing attack), they could have exploited this
vulnerability to hide their activity from the target user. Depending on the permissions of the malicious application, the attacker
could have silently gained access to sensitive information such as private Gmail correspondences, personal files and planned events
within the the victim's google account, as well as any GCP resources the user had access to.


GhostToken

AppFlow had an undocumented service called sandstoneconfigurationservicelambda. 
An undocumented field (awsOwnedManagedAppCredentialsArn) could be used during
connector registration and connector updates. Specifying a victim's Secret ARN
as that field disclosed the clientId and clientSecret, so long as the victim
Secret ARN belonged to a connection profile which is of the type 
OAuth or contains clientId and clientSecret.


AWS AppFlow secrets disclosure

AWS Neuron SDK has reintroduced a dependency confusion vulnerability three times in four years. The issue stems from using the --extra-index-url parameter in pip install commands, which allows potential installation of malicious packages from PyPI instead of AWS's private repository. Despite previous reports, AWS has not fully addressed the problem, leaving new packages vulnerable to exploitation.


AWS Neuron SDK Dependency Confusion Vulnerability Recurs

wunderwuzzi

GitHub Copilot Chat VS Code Extension was vulnerable to data exfiltration via prompt injection when analyzing untrusted source code. The vulnerability allowed attackers to access previous conversation turns and append information from the chat history to an image URL, which was then automatically retrieved by Copilot, sending the data to the attacker.


GitHub Copilot Chat Vulnerable to Data Exfiltration

The AppFlow WooCommerce connector allowed specification of a full URL.
The connector included details of response content when the URL
offered an unexpected response. This means you could make arbitrary
GET requests to any URL from the WooCommerce connector, and view the 
response content. The response in the error was truncated to 500 characters.


AWS AppFlow WooCommerce SSRF

Researchers identified non-production AWS API endpoints that could be abused for defense evasion, including silent permission enumeration, accessing account data without logging, and partially bypassing CloudTrail. AWS has remediated specific issues but thousands of such endpoints may exist.


Non-Production AWS Endpoints as Attack Surface

Adnan Khan

A critical vulnerability in GitHub's actions/runner-images repository allowed arbitrary code execution on self-hosted runners, potentially enabling modification of GitHub's runner base images. The flaw stemmed from misconfigured self-hosted runners on a public repository with default workflow approval settings. The researcher gained persistence, accessed secrets, and could have inserted malicious code into GitHub's runner images used by customers.


Poisoning GitHub's Runner Images Supply Chain Attack

Saransh Rana

Credentials can be extracted from AppStream. When used, they obscure
the sourceIP and userName of the initial user. The sourceIP appears 
as appstream.amazonaws.com.


AWS AppStream Cloudtrail Bypass

Two malicious versions were created of packages previously used by AWS.
The packages were officially authored and maintained by AWS before they
were removed by their legitimate author, and once the packages were
removed, their names became available and the two packages were then
populated with malicious code. If AWS-deployed software had any dependencies
on these packages, this would have led to a dependency confusion attack.


The Open Cloud Vulnerability
& Security Issue Database

Tags:

Recently published

Entra ID actor token validation bug allowing cross-tenant global admin

Dirk-jan Mollema, Outsider ...

AWS ECS Agent Information Disclosure Vulnerability

Amazon Web Services

Remote Prompt Injection in GitLab Duo Leaks Source Code

Omer Mayraz, Legit Security

AWS Security Tool Introduces Privilege Escalation Risk

Eliav Livneh, Token Security

Azure AZNFS-mount Utility Root Privilege Escalation

Tal Peleg, Varonis Threat Labs

AWS Default Roles Can Lead to Service Takeover

Yakir Kadkoda, Ofek Itach, ...

The Open Cloud Vulnerability & Security Issue Database

Tags:

Recently published

Entra ID actor token validation bug allowing cross-tenant global admin

Dirk-jan Mollema, Outsider ...

AWS ECS Agent Information Disclosure Vulnerability

Amazon Web Services

Remote Prompt Injection in GitLab Duo Leaks Source Code

Omer Mayraz, Legit Security

AWS Security Tool Introduces Privilege Escalation Risk

Eliav Livneh, Token Security

Azure AZNFS-mount Utility Root Privilege Escalation

Tal Peleg, Varonis Threat Labs

AWS Default Roles Can Lead to Service Takeover

Yakir Kadkoda, Ofek Itach, ...

The Open Cloud Vulnerability
& Security Issue Database