low

Timing attack with Lambda and CloudWatch Synthetics

Published Tue, Sep 15th, 2020

Platforms

aws

Summary

The immutability of Lambda versions could be violated via a timing attack against CloudWatch Synthetics canaries.

Affected Services

Lambda, CloudWatch Synthetics

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://onecloudplease.com/blog/security-september-racing-against-cloudwatch-synthetics-canaries

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Tue, Sep 15th, 2020

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Ian Mckay

More vulnerabilities...

low

CloudFormation denial of service (in a single account)

aws

An attacker with the ability to create CloudFormation stacks could cause a denial-of-service on some CloudFormation actions within a single AWS account.

Ian Mckay
medium

GCP service accounts and projects information leak

gcp

It was possible to list IAM service accounts of any GCP project, given only its ID, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain...

Ezequiel Pereira
high

Google Cloud Shell Bugs Expose User Credentials

gcp

Three vulnerabilities in Google Cloud Shell were discovered, allowing attackers to execute arbitrary code and potentially steal user credentials. The bugs affected Ruby gemspec parsing, TypeScript ...

David Dworken
View all