low

S3 bucket tagging not restricted

Published Mon, Sep 28th, 2020

Platforms

Summary

Lack of the privilege s3:PutBucketTagging did not restrict the ability to tag S3 buckets.

Affected Services

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://onecloudplease.com/blog/security-september-still-early-days-for-abac

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Mon, Sep 28th, 2020

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ian Mckay

More vulnerabilities...

low

Encryption SDK vulnerabilities

AWS KMS and all versions of AWS Encryption SDKs prior to version 2.0.0 were susceptible to information leakage (an attacker could create ciphertexts that would leak the user’s AWS account ID, encry...

Thai Duong (thaidn), Google

Mon, Sep 28th, 2020

low

CloudFormer review

An audit of an AWS open-source project identified a great deal of issues, and as a result AWS made the decision to take it down.

Karim El-Melhaoui, O3 Cyber

Fri, Sep 25th, 2020

high

CloudFormation resource provider credentials leak

CloudFormation allows the use of Lambda-backed resource providers, wherein Lambda can be used to write custom provisioning logic to be executed during CloudFormation stack operations. The aforement...

Aidan Steele

Tue, Sep 22nd, 2020

View all