"This vulnerability compromised a core library used in the AWS Console itself - the central nervous system of the cloud,"
"SolarWinds gave attackers access to corporate networks. This could have given attackers code execution in the very interface administrators use to manage their entire infrastructure."
"This vulnerability exploits a blind spot in CI/CD [continuous integration/continuous delivery] security, not a flaw uniq"
A misconfiguration in AWS CodeBuild webhook filters allowed untrusted pull requests to trigger builds, enabling a supply-chain compromise dubbed CodeBreach. The flaw involved two missing characters in webhook filter rules that were supposed to block untrusted PRs. The vulnerability could have compromised a core library used by the AWS Console, enabling attackers to execute code in administrative interfaces and potentially control customer environments. Wiz disclosed the issue to AWS in August and AWS patched the problem in September. The bug illustrates a blind spot in CI/CD security and risks that extend beyond a single cloud provider.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]