low

CloudFormer review

Published Fri, Sep 25th, 2020

Platforms

aws

Summary

An audit of an AWS open-source project identified a great deal of issues, and as a result AWS made the decision to take it down.

Affected Services

CloudFormer

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://blog.karims.cloud/2020/09/25/cloudformer-review-part-1.html

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Fri, Sep 25th, 2020

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Karim El-Melhaoui, O3 Cyber

More vulnerabilities...

high

CloudFormation resource provider credentials leak

aws

CloudFormation allows the use of Lambda-backed resource providers, wherein Lambda can be used to write custom provisioning logic to be executed during CloudFormation stack operations. The aforement...

Aidan Steele
low

Timing attack with Lambda and CloudWatch Synthetics

aws

The immutability of Lambda versions could be violated via a timing attack against CloudWatch Synthetics canaries.

Ian Mckay
low

CloudFormation denial of service (in a single account)

aws

An attacker with the ability to create CloudFormation stacks could cause a denial-of-service on some CloudFormation actions within a single AWS account.

Ian Mckay
View all