Summary
AWS CodeArtifact was susceptible to dependency confusion / substitution (i.e, publication of a
malicious package to a public repository with the same name as an organization’s internal package).
AWS fixed this issue by adding package origin controls, allowing users to limit how versions of a
given package can be added to a CodeArtifact repository.
Affected Services
CodeArtifact
Remediation
None required
Tracked CVEs
No tracked CVEs
References
https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963dhttps://aws.amazon.com/blogs/devops/tighten-your-package-security-with-codeartifact-package-origin-control-toolkit/https://docs.aws.amazon.com/codeartifact/latest/ug/package-origin-controls.html
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
Fri, Oct 29th, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ignacio Dominguez, Zego
