low

S3 bucket tagging not restricted

Published Mon, Sep 28th, 2020

Platforms

aws

Summary

Lack of the privilege s3:PutBucketTagging did not restrict the ability to tag S3 buckets.

Affected Services

S3

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://onecloudplease.com/blog/security-september-still-early-days-for-abac

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Mon, Sep 28th, 2020

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

-

Discovered by

Ian Mckay

More vulnerabilities...

low

Encryption SDK vulnerabilities

aws

AWS KMS and all versions of AWS Encryption SDKs prior to version 2.0.0 were susceptible to information leakage (an attacker could create ciphertexts that would leak the user’s AWS account ID, encry...

Thai Duong (thaidn), Google
low

CloudFormer review

aws

An audit of an AWS open-source project identified a great deal of issues, and as a result AWS made the decision to take it down.

Karim El-Melhaoui, O3 Cyber
high

CloudFormation resource provider credentials leak

aws

CloudFormation allows the use of Lambda-backed resource providers, wherein Lambda can be used to write custom provisioning logic to be executed during CloudFormation stack operations. The aforement...

Aidan Steele
View all