Unknown

Bazel supply chain vulnerability

Published Wed, Apr 3rd, 2024

Platforms

Summary

Cycode discovered a CI/CD misconfiguration in the Bazel repo, which if exploited could have allowed an attacker to enact a supply chain attack against all Bazel users, which includes Google themselves and therefore likely GCP as well.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://cycode.com/blog/cycode-discovers-a-supply-chain-vulnerability-in-bazel/

Entry Status

Stub

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Cycode

More vulnerabilities...

high

Flaw in Bedrock's Foundation Model Access Control

A flaw in AWS Bedrock's foundation model access control allowed unauthorized subscriptions to certain models, bypassing IAM policies using the aws-marketplace:ProductId condition key. This could le...

Carlos Mora, TrustOnCloud

Wed, Mar 27th, 2024

high

FlowFixation

A flaw in Amazon Managed Workflows for Apache Airflow (MWAA) could have allowed potential session hijacking and remote code execution. The issue stemmed from a combination of session fixation in th...

Liv Matan, Tenable

Thu, Mar 21st, 2024

medium

Synapse Analytics privilege escalation via intelligent caching

Tenable Research discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. This escalation was achieved because of...

Jimi Sebree, Tenable

Thu, Mar 7th, 2024

View all