Unknown

Bazel supply chain vulnerability

Published Wed, Apr 3rd, 2024

Platforms

Summary

Cycode discovered a CI/CD misconfiguration in the Bazel repo, which if exploited could have allowed an attacker to enact a supply chain attack against all Bazel users, which includes Google themselves and therefore likely GCP as well.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://cycode.com/blog/cycode-discovers-a-supply-chain-vulnerability-in-bazel/

Entry Status

Stub

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Cycode

More vulnerabilities...

critical

Critical GitLab Account Takeover Vulnerability

GitLab addressed a critical vulnerability, CVE-2023-7028, affecting managed SaaS gitlab.com instance as well as self-hosted versions 16.1 to 16.7.1. The flaw could allow account takeovers via unver...

asterion04, GitLab

Wed, Apr 3rd, 2024

high

Flaw in Bedrock's Foundation Model Access Control

A flaw in AWS Bedrock's foundation model access control allowed unauthorized subscriptions to certain models, bypassing IAM policies using the aws-marketplace:ProductId condition key. This could le...

Carlos Mora, TrustOnCloud

Wed, Mar 27th, 2024

high

IAM Policy Flaw Allowed Unauthorized Access to Bedrock Models

TrustOnCloud identified a flaw in how AWS Bedrock enforces IAM access controls using the aws-marketplace:ProductId condition key, which is meant to restrict subscriptions to specific foundation mod...

Carlos Mora, TrustOnCloud

Sun, Mar 24th, 2024

View all