CVE-2019-10777

CVE-2019-10777 affects aws-lambda prior to v1.0.5. The vulnerability arises because config.FunctioName is used to assemble the argument for exec without sanitization, enabling an attacker to inject arbitrary commands into the zipCmd executed via config.FunctionName. Impact ranges from partial to ...

@xapp/stentor (>=1.13.9 <=1.15.0) potentially affected by CVE-2019-10777 via aws-lambda (>=1.0.0 <=1.0.4)

aws-lambda NPM version =1.0.0, =1.13.9, =1.15.0 Source cves: CVE-2019-10777 Source advisory: SNYK:JS-AWSLAMBDA-540839...

Command Injection

Overview aws-lambda is a command line tool deploy code to AWS Lambda. Affected versions of this package are vulnerable to Command Injection. The config.FunctioName is used to construct the argument used within the exec function without any sanitization. It is possible for a user to inject arbitra...

Serverless ETLs? Easy Data Lake Transformations using AWS Athena

In a data lake raw data is added with little or no processing, allowing you to query it straight away. This gives you a great way to learn about your data - whether it represents a quick win or a fast fall. However, there are two disadvantages: performance and costs. If, for example you added CSV...

Taking Reputation to Scale: An Iterative Journey with an Agile Approach (Part 2)

In Part 1 of this blog, we shared with you the challenges we had in balancing latency, scalability, and cost for our reputation services. In this blog, we’ll give you some insights into each major iteration along that journey, from the beginning to where we are now. 100 requests per second. Befor...

Monitoring AWS Golden AMI Pipelines with Slack

If your company uses Slack and is looking for ways to easily monitor activities in its AWS Golden AMI Pipeline, you can use AWS native services to send messages into a Slack channel. This can give your teams better visibility into the approval process for the candidate AMIs that they submit, as...

ah-airbrake-plugin (=0.0.2), aws_lambda_app (>=1.0.1 <=2.0.1) +11 more potentially affected by CVE-2016-10530 via airbrake (>=0.2.9 <=0.3.8)

airbrake NPM version =0.2.9, =1.0.1, =0.0.1, =4.0.0, =0.1.6, =0.2.0, =0.0.1, =0.0.1, =0.0.1, =1.0.0, =1.0.1 Source cves: CVE-2016-10530 Source advisory: OSV:GHSA-856X-CP3Q-47VG...

Assess Vulnerabilities, Misconfigurations in AWS Golden AMI Pipelines

Today we’re starting a blog series focused on how to integrate Qualys solutions into DevSecOps for securing cloud infrastructures. In this initial post, we’ll discuss the importance of assessing vulnerabilities and misconfigurations on AWS pipelines. When developing golden Amazon Machine Images...

The AWS Exploitation Framework: Pacu

Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its...

UEditor editor two version of the arbitrary file upload vulnerability analysis-vulnerability warning-the black bar safety net

0x01 introduction UEditor by Baidu WEB front-end R & D Department development of WYSIWYG the open source rich text editor with lightweight, customizable, the user experience is excellent and other characteristics, by the majority of WEB applications use; this broke the high-risk vulnerabilities...

Cloud Custodian - Rules Engine For Cloud Security, Cost Optimization, And Governance, DSL In Yaml For Policies To Query, Filter, And Take Actions On Resources

Cloud Custodian is a rules engine for AWS fleet management. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified...

AWS Key Disabler - A Small Lambda Script That Will Disable Access Keys Older Than A Given Amount Of Days

The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys. AWS Lambda Architecture SysOps Output for EndUser Developer Toolchain Current Limitations A report containing the output json of...

AWS Pwn - A Collection Of AWS Penetration Testing Junk

This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to...

Anton Myshenin aws-lambda-multipart-parser NPM Packet Denial of Service Vulnerability

Anton Myshenin aws-lambda-multipart-parser NPM is a parser for handling multiple form data requests. A security vulnerability exists in the index.js file in the Anton Myshenin aws-lambda-multipart-parser NPM package prior to version 0.1.2. An attacker can exploit the vulnerability to cause a deni...

AWS Lambda parser is vulnerable to Regular Expression Denial of Service

index.js in the aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service ReDoS issue via a crafted multipart/form-data boundary string...

GHSA-6JQP-J69Q-PM62 AWS Lambda parser is vulnerable to Regular Expression Denial of Service

index.js in the aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service ReDoS issue via a crafted multipart/form-data boundary string...

Regular Expression Denial Of Service (ReDoS)

aws-lambda-multipart-parser is vulnerable to regular expression denial of service ReDoS attacks. These attacks are possible through a multipart/form-data boundary string and allows attackers to inject and execute arbitrary code...

CVE-2018-7560

index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service ReDoS issue via a crafted multipart/form-data boundary string...

CVE-2018-7560

index.js in the Anton Myshenin aws-lambda-multipart-parser NPM package before 0.1.2 has a Regular Expression Denial of Service ReDoS issue via a crafted multipart/form-data boundary string...

CVE-2018-7560

The CVE-2018-7560 issue affects the npm package aws-lambda-multipart-parser prior to version 0.1.2 by Anton Myshenin. The vulnerability is a Regular Expression Denial of Service (ReDoS) in index.js triggered by specially crafted multipart/form-data boundary strings, potentially enabling a denial ...