low

AWS Glue database password leakage

Published Thu, Apr 11th, 2024

Platforms

Summary

A principal with the permissions glue:GetConnection and ec2:DescribeSubnets can retrieve the database password of a connection, since the password is loaded into the AWS console website when a connection's edit page is requested. The severity of this issue is low since it requires sufficient prior access.

Affected Services

Glue

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://sec-consult.com/vulnerability-lab/advisory/database-passwords-in-server-response-in-amazon-aws-glue/

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Wed, Jun 7th, 2023

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Michael Werner, SEC Consult

More vulnerabilities...

low

AWS IAM Trust Policy Condition Evaluation Bug

Tag variable names affected whether trust policy conditions were evaluated correctly. If the request tag referenced a principal tag called MemberRole in the JWT token, and the IAM role referenced ...

StediApr 9, 2024

critical

Critical GitLab Account Takeover Vulnerability

GitLab addressed a critical vulnerability, CVE-2023-7028, affecting managed SaaS gitlab.com instance as well as self-hosted versions 16.1 to 16.7.1. The flaw could allow account takeovers via unver...

asterion04, GitLabApr 3, 2024

Bazel supply chain vulnerability

Cycode discovered a CI/CD misconfiguration in the Bazel repo, which if exploited could have allowed an attacker to enact a supply chain attack against all Bazel users, which includes Google themsel...

CycodeApr 3, 2024

View all