Unknown

Bazel supply chain vulnerability

Published Wed, Apr 3rd, 2024

Platforms

Summary

Cycode discovered a CI/CD misconfiguration in the Bazel repo, which if exploited could have allowed an attacker to enact a supply chain attack against all Bazel users, which includes Google themselves and therefore likely GCP as well.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://cycode.com/blog/cycode-discovers-a-supply-chain-vulnerability-in-bazel/

Entry Status

Stub

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Cycode

More vulnerabilities...

high

FlowFixation

A flaw in Amazon Managed Workflows for Apache Airflow (MWAA) could have allowed potential session hijacking and remote code execution. The issue stemmed from a combination of session fixation in th...

Liv Matan, Tenable

Thu, Mar 21st, 2024

medium

Synapse Analytics privilege escalation via intelligent caching

Tenable Research discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. This escalation was achieved because of...

Jimi Sebree, Tenable

Thu, Mar 7th, 2024

high

Azure Site Recovery privilege escalation

When the ASR service is enabled, it uses an Automation Account with a System-Assigned Managed Identity to manage Site Recovery extensions on VMs. However, the Runbook (a set of scripts for managing...

Joshua Murrell, NetSPI

Tue, Feb 13th, 2024

View all