medium

Dependency confusion in AWS CodeArtifact

Published Thu, Jul 14th, 2022

Platforms

Summary

AWS CodeArtifact was susceptible to dependency confusion / substitution (i.e, publication of a malicious package to a public repository with the same name as an organization’s internal package). AWS fixed this issue by adding package origin controls, allowing users to limit how versions of a given package can be added to a CodeArtifact repository.

Affected Services

CodeArtifact

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d https://aws.amazon.com/blogs/devops/tighten-your-package-security-with-codeartifact-package-origin-control-toolkit/https://docs.aws.amazon.com/codeartifact/latest/ug/package-origin-controls.html

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Fri, Oct 29th, 2021

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Ignacio Dominguez, Zego

More vulnerabilities...

low

Microsoft Azure Site Recovery DLL hijacking

The Microsoft Azure Site Recovery suite contained a DLL hijacking flaw that allowed for privilege escalation from any low privileged user to SYSTEM on hosts where this service was installed. Incorr...

James Sebree, TenableJul 12, 2022

high

AWS IAM Authenticator for Kubernetes AccessKeyID Validation Bypass

Amazon Elastic Kubernetes Service (EKS) uses IAM to provide authentication to the cluster through the AWS IAM Authenticator for Kubernetes (aws-iam-authenticator). aws-iam-authenticator can be inst...

Gafnit Amiga, LightspinJul 11, 2022

medium

FabricScape (CVE-2022-30137) - Azure Service Fabric privilege escalation

A vulnerability in Service Fabric allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. An attacker...

Aviv Sasson, Palo Alto Netw...Jun 28, 2022

View all