49 matches found
Design/Logic Flaw
An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of...
CVE-2023-1306
CVE-2023-1306 affects Rapid7 InsightCloudSec. An authenticated attacker could abuse an exposed resource.db() accessor to smuggle Python methods via a Jinja template, enabling code execution. Mitigation: upgrade to InsightCloudSec 23.2.1 (Self-Managed) or apply the managed/SaaS patch released on 2...
CVE-2023-1306 Rapid7 InsightCloudSec resource.db() method access
An authenticated attacker can leverage an exposed resource.db accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version o...
CVE-2023-1306 Rapid7 InsightCloudSec resource.db() method access
An authenticated attacker can leverage an exposed resource.db accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version o...
CVE-2023-1305
CVE-2023-1305 affects Rapid7 InsightCloudSec where an authenticated attacker could leverage an exposed “box” object to read and write arbitrary files on disk as long as they are parsable as YAML/JSON. The issue has been mitigated in the Managed and SaaS deployments as of February 1, 2023 and in t...
CVE-2023-1305 Rapid7 InsightCloudSec box object access
An authenticated attacker can leverage an exposed “box” object to read and write arbitrary files from disk, provided those files can be parsed as yaml or JSON. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of...
CVE-2023-1304
CVE-2023-1304 affects InsightCloudSec. An authenticated attacker can use an exposed getattr() via a Jinja template to smuggle OS commands and invoke actions normally restricted to private methods. Affected are InsightCloudSec versions prior to the fixes; the issue was resolved in Managed and SaaS...
CVE-2023-1304 Rapid7 InsightCloudSec getattr() method access
An authenticated attacker can leverage an exposed getattr method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the...
InsightCloudSec 代码注入漏洞
InsightCloudSec is a fully integrated cloud-native security platform from InsightCloudSec. A security vulnerability exists in versions of InsightCloudSec prior to 23.3.21 that stems from an attacker being able to utilize the publicly available resource.db accessor method to invoke Python methods...
InsightCloudSec 代码注入漏洞
InsightCloudSec is a fully integrated cloud-native security platform from InsightCloudSec. A security vulnerability exists in versions of InsightCloudSec prior to 23.3.21 that stems from an attacker being able to execute OS commands via a Jinja template utilizing the publicly available getattr...
PT-2023-16876 · Unknown · Insightcloudsec
Name of the Vulnerable Software and Affected Versions: InsightCloudSec versions prior to 23.2.1 Description: An authenticated attacker can leverage an exposed getattr method via a Jinja template to smuggle OS commands and perform other actions that are normally expected to be private methods. Thi...
PT-2023-16878 · Unknown · Insightcloudsec
Name of the Vulnerable Software and Affected Versions: InsightCloudSec versions prior to 23.2.1 Description: An authenticated attacker can leverage an exposed resource.db accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved...
Cloud Audit: Compliance + Automation
Setting your own standard Today’s regulatory environment is incredibly fractured and extensive. Depending on the industry—and the part of the world your business and/or security organization resides in—you may be subject to several regulatory compliance standards. Adding to the complexity, there ...
Rapid7 and HashiCorp Partner to Secure Terraform-based Cloud Infrastructure Deployments
Welcome to the latest installment in our cloud security “shift-left” blog series. In our last post, we covered the importance of integrating cloud infrastructure security assessments into DevOps tools and enabling Infrastructure as Code IaC developers. This time, we’re focusing on Rapid7’s recent...
Cloud IAM Done Right: How LPA Helps Significantly Reduce Cloud Risk
Authored by Sanjeev Williams and Ryan Blanchard Today almost all cloud users, roles, and identities are overly permissive. This leads to repeated headlines and forensic reports of attackers leveraging weak identity postures to gain a foothold, and then moving laterally within an organization's...
Integrating Cloud Security With DevOps and CI/CD Tools
This is the latest post in our blog series on shifting left in cloud security. In our last post, we kicked off the series with a high-level overview about Rapid7’s approach to shifting cloud security into the application development lifecycle. For this post, we’ll dive into a key aspect of our...
Shift Left: Secure Your Innovation Pipeline
There’s no shortage of buzzwords in the tech world. Some are purely marketing spin. But others are colloquial ways for the industry to talk about complex topics that have a massive impact on how organizations and teams drive innovation and work more efficiently. Here at Rapid7, we believe the...
What We’re Looking Forward to at AWS re:Inforce
AWS re:Inforce 2022 starts tomorrow — Tuesday, July 26th — and we couldn't be more excited to gather with the tech, cloud, and security communities in our home city of Boston. Here's a sneak peek of the highlights to come at re:Inforce and what we're looking forward to the most this Tuesday and...
Update for CIS Google Cloud Platform Foundation Benchmarks - Version 1.3.0
The Center for Internet Security CIS recently released an updated version of their Google Cloud Platform Foundation Benchmarks - Version 1.3.0. Expanding on previous iterations, the update adds 21 new benchmarks covering best practices for securing Google Cloud environments. The updates were broa...
InsightCloudSec Supports the Recently Updated NSA/CISA Kubernetes Hardening Guide
The National Security Agency NSA and the Cybersecurity and Infrastructure Security Agency CISA recently updated their Kubernetes Hardening Guide, which was originally published in August 2021. With the help and feedback received from numerous partners in the cybersecurity community, this guide...