low

MWAA logs leak tokens and hostnames

Published Tue, May 31st, 2022

Platforms

Summary

Two API calls used by Amazon Managed Workflows for Apache Airflow (MWAA) to convert AWS IAM credentials into tokens that can be used to login to Airflow (CreateCliToken and CreateWebLoginToken) were logging the tokens to Cloudtrail. The event included the hostname for the airflow server, so everything required to login to Airflow was in the event. However, the issue was largely mitigated by the fact that the tokens are only valid for 60 seconds and CloudTrail delivers logs on average about every 15 minutes, so the chance of receiving a valid token were low.

Affected Services

MWAA

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://twitter.com/BenReser/status/1531710736719695872

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Wed, May 11th, 2022

Exploitability Period

by 2022/05/22

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Ben Reser, Vibes

More vulnerabilities...

medium

ELB Cache mechanism HTTP header smuggling

While testing rate-limiter protection, The researcher noticed that when forcing HTTP/1 requests and injecting a space after `X-Forwarded-For` he was able to override this specific header, letting ...

Andrea Brancaleoni, BraveMay 17, 2022

critical

Synlapse

Azure Synapse Analytics and Azure Data Factory were vulnerable to cross-tenant access and code execution. This was made possible via a combination of (1) a shell injection RCE vulnerability in the ...

Tzah Pahima, Orca SecurityMay 9, 2022

low

AWS package backfill attack

Two malicious versions were created of packages previously used by AWS. The packages were officially authored and maintained by AWS before they were removed by their legitimate author, and once the...

Mend DiffendMay 1, 2022

View all