medium

Dependency confusion in AWS CodeArtifact

Published Thu, Jul 14th, 2022
Platforms

Summary

AWS CodeArtifact was susceptible to dependency confusion / substitution (i.e, publication of a malicious package to a public repository with the same name as an organization’s internal package). AWS fixed this issue by adding package origin controls, allowing users to limit how versions of a given package can be added to a CodeArtifact repository.

Affected Services

CodeArtifact

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Fri, Oct 29th, 2021
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Ignacio Dominguez, Zego