Bazel supply chain vulnerability

Published Wed, Apr 3rd, 2024

Platforms

gcp

Summary

Cycode discovered a CI/CD misconfiguration in the Bazel repo, which if exploited could have allowed an attacker to enact a supply chain attack against all Bazel users, which includes Google themselves and therefore likely GCP as well.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://cycode.com/blog/cycode-discovers-a-supply-chain-vulnerability-in-bazel/

Entry Status

Stub

Disclosure Date

-

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Cycode

More vulnerabilities...

high

Flaw in Bedrock's Foundation Model Access Control

aws

A flaw in AWS Bedrock's foundation model access control allowed unauthorized subscriptions to certain models, bypassing IAM policies using the aws-marketplace:ProductId condition key. This could le...

Carlos Mora, TrustOnCloud
high

IAM Policy Flaw Allowed Unauthorized Access to Bedrock Models

aws

TrustOnCloud identified a flaw in how AWS Bedrock enforces IAM access controls using the aws-marketplace:ProductId condition key, which is meant to restrict subscriptions to specific foundation mod...

Carlos Mora, TrustOnCloud
high

FlowFixation

aws

A flaw in Amazon Managed Workflows for Apache Airflow (MWAA) could have allowed potential session hijacking and remote code execution. The issue stemmed from a combination of session fixation in th...

Liv Matan, Tenable
View all