Lucene search
K

6 matches found

OSV
OSV
added 2026/06/10 1:37 p.m.6 views

GHSA-G759-4PXW-6692 @hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The GOIDC1 and GOIDC2 policy rules ar...

8.3CVSS5.5AI score0.0004EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.10 views

PT-2026-48474

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The G OIDC 1 and G OIDC 2 policy rule...

8.3CVSS5.5AI score0.0004EPSS
Exploits0References4
OSV
OSV
added 2026/05/21 8:45 p.m.4 views

GHSA-Q2F7-M237-V562 @hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AW...

9.3CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/21 8:45 p.m.17 views

@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AW...

5.8AI score
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/14 9:9 p.m.24 views

CVE-2026-44428

The CVE-2026-44428 issue affects the MCP Registry’s GitHub OIDC token flow: before 1.7.6, both client and server validate a shared audience string (audience=mcp-registry) across registry deployments, enabling a token obtained for one registry to be replayed against another. This breaks deployment...

4.7CVSS5.9AI score0.00219EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/05/11 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Rows per page
Query Builder