low

CloudFormation denial of service (in a single account)

Published Tue, Sep 1st, 2020

Platforms

Summary

An attacker with the ability to create CloudFormation stacks could cause a denial-of-service on some CloudFormation actions within a single AWS account.

Affected Services

CloudFormation

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://onecloudplease.com/blog/security-september-fun-with-fncidr

Contributed by https://github.com/Rami McCarthy

Entry Status

Finalized

Disclosure Date

Tue, Sep 1st, 2020

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ian Mckay

More vulnerabilities...

medium

GCP service accounts and projects information leak

It was possible to list IAM service accounts of any GCP project, given only its ID, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain...

S3 Crypto SDK vulnerabilities

CloudTrail S3 data events leak bucket Account ID

Using CloudTrail S3 data events, it was possible to determine the AWS account ID of any existing S3 bucket by calling any S3 API, getting denied, and looking at the value in the resource key in err...

Jonathan Rault, TrustOnCloud

Mon, Jul 27th, 2020

View all