critical

SuperGlue

Published Thu, Jan 13th, 2022

Platforms

Summary

Compromise of internal AWS Glue service to assume the glue role in any AWS account that used glue.

Affected Services

Glue

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://orca.security/resources/blog/aws-glue-vulnerability/https://aws.amazon.com/security/security-bulletins/AWS-2022-002/

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Thu, Sep 30th, 2021

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

8.93

(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:1)

Discovered by

Yanir Tsarimi, Orca Security

More vulnerabilities...

critical

BreakingFormation

Read access of host of AWS internal Cloudformation service via XXE SSRF. The level of access with the compromised IAM role from there is unclear.

Tzah Pahima, Orca SecurityJan 13, 2022

AWS AI services ToS allow sharing of customer data

Use of the AI services on AWS allows customer data to be moved outside of the regions it is used in and potentially shared with third-parties. Note: This issue is outside the scope of this database...

Ben BridtsJan 6, 2022

high

Bypassing Identity-Aware Proxy in Google Cloud

A vulnerability in Google Cloud Platform's Identity-Aware Proxy (IAP) allowed attackers to bypass authentication and access IAP-secured web applications. The exploit involved creating a malicious I...

SebLuDec 30, 2021

View all