high

Azure Pipelines Agent poisoned pipeline execution

Published Wed, Dec 20th, 2023

Platforms

Summary

Azure Pipelines and GitHub Actions allow deployment of runners and agents using VM images sourced from a GitHub-managed repository (github.com/actions/runner-images). This repo was misconfigured to use self-hosted runners insecurely, in a way that could have allowed a malicious external contributor (i.e., anyone who had previously had at least one PR approved and merged in the repo) to poison the repository and achieve code execution on runners in the repo. This in turn could have theoretically allowed an attacker to modify the source code of the images, and thereby conduct a supply chain attack against Pipelines and Actions customers.

Affected Services

Pipelines

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/

Contributed by https://github.com/korniko98

Disclosure Date

Sat, Jul 22nd, 2023

Exploitablity Period

Until 2023/07/26

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Adnan Khan

More vulnerabilities...

low

Amazon WorkSpaces Windows client credential logging

AWS identified an issue in the Amazon WorkSpaces Windows client which resulted in unintentionally logging connection debugging information to a user's local system. This data could include username...

Fri, Oct 6th, 2023

high

Power Platform Custom Code information disclosure

A vulnerability in Power Platform could lead to unauthorized access to Custom Code functions used for custom connectors, thereby allowing cross-tenant information disclosure of secrets or other sen...

Evan Grant, Tenable

Fri, Aug 4th, 2023

low

Bad.Build

An information disclosure vulnerability in the Google Cloud Build service could have allowed an attacker to view sensitive logs if they had gained prior access to a GCP environment and had permissi...

Roi Nisimi, Orca Security

Tue, Jul 18th, 2023

View all