Unknown

Missing JWT issuer and signer validation in ALB middleware

Published Mon, Oct 21st, 2024

Platforms

Summary

Affected Services

AWS ALB Route Directive Adapter For Istio, AspNetCore for Application Load Balancer OpenId Connect

Tracked CVEs

CVE-2024-8901, CVE-2024-10125

References

https://aws.amazon.com/security/security-bulletins/AWS-2024-011/https://aws.amazon.com/security/security-bulletins/AWS-2024-012/

Entry Status

Stub

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Miggo Security

More vulnerabilities...

low

Data exfil via VPC endpoint denials in CloudTrail

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases...

Sam Cox, Tracebit

Tue, Oct 15th, 2024

medium

Document AI data exfiltration

The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented. The Document AI service agent is auto-assigned wi...

Kat Traxler, Vectra AI

Mon, Sep 16th, 2024

high

CloudImposer

Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to injec...

Liv Matan, Tenable

Mon, Sep 16th, 2024

View all