Missing JWT issuer and signer validation in ALB middleware

Published Mon, Oct 21st, 2024

Platforms

Summary

Affected Services

AWS ALB Route Directive Adapter For Istio, AspNetCore for Application Load Balancer OpenId Connect

Tracked CVEs

CVE-2024-8901, CVE-2024-10125

References

https://aws.amazon.com/security/security-bulletins/AWS-2024-011/https://aws.amazon.com/security/security-bulletins/AWS-2024-012/

Entry Status

Stub

Disclosure Date

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Miggo Security

More vulnerabilities...

low

Data exfil via VPC endpoint denials in CloudTrail

CloudTrail delivered events to the resource owner and API caller even when the API action was denied by the VPC endpoint policy. This could have enabled a stealthy data exfiltration method in cases...

Sam Cox, TracebitOct 15, 2024

high

CloudShell Vulnerability Grants Unintended AWS Access

A vulnerability in AWS CloudShell allowed users to gain unintended command-line access to the underlying AWS infrastructure. During a training session, a delegate unexpectedly received the identity...

Paul SchwarzenbergerOct 15, 2024

low

Subdomain Takeover Vulnerability in GitLab Pages

A vulnerability in GitLab Pages allowed attackers to take over dangling custom domains pointing to 'instanceX.gitlab.io'. The issue occured when adding an unverified custom domain to GitLab Pages, ...

Philippe DelteilOct 9, 2024

View all