low

AWS Java SDK XXE injection

Published Tue, Oct 10th, 2017

Platforms

Summary

The AWS Java SDK was vulnerable to XML external entity (XXE) injection related to XML parsers.

Affected Services

Java SDK

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://github.com/aws/aws-sdk-java/commit/080a0037395f8b1e8e81b59c9d2c3a3d7624c8ac#diff-4ac32a78649ca5bdd8e0ba38b7006a1eR8 https://twitter.com/alexbrasetvik/status/1293088161363525633

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Alex Brasetvik

More vulnerabilities...

low

Public admin access to Azure's Red Hat Update Infrastructure

Full administrative access to the Azure Red Hat Enterprise Linux Appliance REST API was publicly exposed. It allowed malicious actors uploading packages that would be acquired by client virtual mac...

Ian Duffy

Sat, Nov 26th, 2016

medium

3rd party vendor confused deputy via AssumeRole

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their AWS role trust policies, leading to confused deputy issues. These misconfigurations could allow customers to a...

Daniel Grzelak, Atlassian

Wed, Nov 16th, 2016

low

AWS published official AMIs with recoverable deleted files

Researchers, while investigating the security posture of Public AMIs, were able to undelete files from an official image that was published by Amazon AWS.

Marco Balduzzi, Jonas Zadda...

Sat, Jun 4th, 2011

View all