Unknown

Bazel supply chain vulnerability

Published Wed, Apr 3rd, 2024

Platforms

Summary

Cycode discovered a CI/CD misconfiguration in the Bazel repo, which if exploited could have allowed an attacker to enact a supply chain attack against all Bazel users, which includes Google themselves and therefore likely GCP as well.

Affected Services

N/A

Tracked CVEs

No tracked CVEs

References

https://cycode.com/blog/cycode-discovers-a-supply-chain-vulnerability-in-bazel/

Entry Status

Stub

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Cycode

More vulnerabilities...

high

Flaw in Bedrock's Foundation Model Access Control

A flaw in AWS Bedrock's foundation model access control allowed unauthorized subscriptions to certain models, bypassing IAM policies using the aws-marketplace:ProductId condition key. This could le...

Carlos Mora, TrustOnCloud

Wed, Mar 27th, 2024

high

IAM Policy Flaw Allowed Unauthorized Access to Bedrock Models

TrustOnCloud identified a flaw in how AWS Bedrock enforces IAM access controls using the aws-marketplace:ProductId condition key, which is meant to restrict subscriptions to specific foundation mod...

Carlos Mora, TrustOnCloud

Sun, Mar 24th, 2024

high

FlowFixation

A flaw in Amazon Managed Workflows for Apache Airflow (MWAA) could have allowed potential session hijacking and remote code execution. The issue stemmed from a combination of session fixation in th...

Liv Matan, Tenable

Thu, Mar 21st, 2024

View all