low

Oracle Apiary SSRF

Published Tue, Feb 8th, 2022

Platforms

Summary

By misusing the Apiary web service and taking advantage of Apiary's use of IMDSv1, a remote attacker is able to retrieve sensitive information from various endpoints and use it to gain more access and sensitive data of other hosts in the same environment.

Affected Services

Apiary

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://orca.security/resources/blog/oracle-server-side-request-forgery-ssrf-attack-metadata/

Contributed by https://github.com/ramimac

Disclosure Date

Tue, Feb 8th, 2022

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Lidor Ben Shitrit, Orca Security

More vulnerabilities...

low

Codebuild data exfiltration

When customers attach a CodeBuild project to their VPC, CodeBuild’s build container will apply the same network routing rules as defined in the customer’s VPC Security Group. However, CodeBuild EC2...