low

AWS Java SDK XXE injection

Published Tue, Oct 10th, 2017

Platforms

aws

Summary

The AWS Java SDK was vulnerable to XML external entity (XXE) injection related to XML parsers.

Affected Services

Java SDK

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://github.com/aws/aws-sdk-java/commit/080a0037395f8b1e8e81b59c9d2c3a3d7624c8achttps://twitter.com/alexbrasetvik/status/1293088161363525633

Contributed by https://github.com/korniko98

Entry Status

Finalized

Disclosure Date

-

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Alex Brasetvik

More vulnerabilities...

low

Public admin access to Azure's Red Hat Update Infrastructure

azure

Full administrative access to the Azure Red Hat Enterprise Linux Appliance REST API was publicly exposed. It allowed malicious actors uploading packages that would be acquired by client virtual mac...

Ian Duffy
medium

3rd party vendor confused deputy via AssumeRole

aws

3rd party vendors can (and sometimes do) incorrectly implement sts:ExternalId in their AWS role trust policies, leading to confused deputy issues. These misconfigurations could allow customers to a...

Daniel Grzelak, Atlassian
low

AWS published official AMIs with recoverable deleted files

aws

Researchers, while investigating the security posture of Public AMIs, were able to undelete files from an official image that was published by Amazon AWS.

Marco Balduzzi, Jonas Zadda...
View all