critical

ECR Public vulnerability in undocumented API

Published Tue, Dec 13th, 2022
Platforms

Summary

A vulnerability in Elastic Container Registry (ECR) Public could have allowed a malicious actor to delete, update, or create ECR Public images, layers, or tags in registries and repositories belonging to any other AWS account, by abusing undocumented API calls. A malicious actor could have exploited this to delete any or all images in the Amazon ECR Public Gallery or update the content of any existing image to inject malicious code on any machine that would pull and run it.

Affected Services

ECR Public

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Tue, Nov 15th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
8.93
(PI:1.5/A1:20/A2:1/A7:1.1/A8:1.1)
Discovered by
Gafnit Amiga, Lightspin