high

AWS RDS local file read

Published Mon, Apr 11th, 2022

Platforms

Summary

A vulnerability was discovered in the Aurora PostgreSQL log_fdw extension for Amazon Relational Database Service (RDS), allowing an attacker to read files on the EC2 host and obtain credentials for an internal AWS service.

Affected Services

RDS

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://blog.lightspin.io/aws-rds-critical-security-vulnerability https://aws.amazon.com/security/security-bulletins/AWS-2022-004/

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Thu, Dec 9th, 2021

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Gafnit Amiga, Lightspin

More vulnerabilities...

low

Azure AD information disclosure via undocumented APIs

Undocumented Azure AD APIs could allow access to internal information of any organization that uses Azure AD. Collected details included licensing information, mailbox information, and directory sy...

SecureworksApr 5, 2022

medium

GKE Sandbox side channel attack

There was a misconfiguration with Simultaneous Multi-Threading (SMT), also known as Hyper-threading, in GKE Sandbox images, causing nodes to be potentially exposed to side channel attacks such as M...

Mar 22, 2022

low

AWS RDS does not enforce SSL/TLS encryption

The AWS RDS service does not enable secure transport layer security by default, allowing clients to connect insecurely. Additionally, for the more commonly used MySQL and MariaDB RDS engine types, ...

Riyaz Walikar, KloudleMar 10, 2022

View all