28 matches found
CVE-2024-23332
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
CVE-2022-3512
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint...
AWS CDK CodePipeline: trusted entities are too broad
Summary The AWS Cloud Development Kit CDK is an open-source framework for defining cloud infrastructure using code. Users use it to create their own applications, which are converted to AWS CloudFormation templates during deployment to a user's AWS account. AWS CDK contains pre-built components...
Privilege Escalation
Amazon AWS Amplify CLI is vulnerable to Privilege Escalation. The vulnerability is due to the mishandling of role trust policies when the Authentication component is removed, leaving "Effect":"Allow" in place without conditions, thus exposing sts:AssumeRoleWithWebIdentity to potential misuse...
Meeting FISMA (M-24-04) Requirements with a Unified Attack Surface Management Strategy
At the end of 2023, the Office of Management and Budget OMB released the FY24 FISMA Guidance M-24-04 with a broad focus on securing the entire attack surface and specific action items for agencies pertaining to High Value Assets, IoT/OT devices, and internet-connected assets. In reference to rece...
Rollback Attack
github.com/notaryproject/notation is vulnerable to Rollback Attack. The vulnerability is caused when the container registry is compromised, allowing the attacker to provide outdated artifact versions when consumers have relaxed trust policies...
Design/Logic Flaw
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
CVE-2024-23332 Client configured with permissive trust policies susceptible to rollback attack in Notary Project
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
CVE-2024-23332 Client configured with permissive trust policies susceptible to rollback attack in Notary Project
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions o...
Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry
Impact An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies such as permissive instead of strict to potentially use artifacts with signatures that are no...
GHSA-57WX-M636-G3G8 Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry
Impact An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies such as permissive instead of strict to potentially use artifacts with signatures that are no...
CVE-2023-35165 AWS CDK EKS overly permissive trust policies
AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages aws-cdk-lib 2.0.0 until 2.80.0 and @aws-cdk/aws-eks 1.57.0 until 1.202.0, eks.Cluster and eks.FargateCluster...
AWS Cloud Development Kit 安全漏洞
AWS Cloud Development Kit is an open source software development framework for defining cloud infrastructure in code and configuring it via AWS CloudFormation. A security vulnerability exists in AWS Cloud Development Kit that stems from two roles created by eks.Cluster and eks.FargateCluster that...
Overly Permissive Trust Policies
aws-cdk is vulnerable to Overly Permissive Trust Policies. The vulnerability exists because the library's CreationRole and the default MastersRole use the account root principal in their trust policy, which allows eks.Cluster and eks.FargateCluster construct clusters to create two roles that have...
GHSA-RX28-R23P-2QC3 AWS CDK EKS overly permissive trust policies
If you are using the eks.Cluster or eks.FargateCluster construct we need you to take action. Other users are not affected and can stop reading. Impact The AWS Cloud Development Kit CDK allows for the definition of Amazon Elastic Container Service for Kubernetes EKS clusters. eks.Cluster and...
Rapid7 Integration For AWS Verified Access
Today at re:invent, Amazon Web Services AWS unveiled its new AWS Verified Access service, and we are thrilled to announce that InsightIDR — Rapid7’s next-gen SIEM and XDR — will support log ingestion from this new service when it is made generally available. What Is AWS Verified Access? AWS...
CVE-2022-3337
It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/lock-warp-switch feature being enabled on Zero Trust Platform. This led to...
CVE-2022-3512
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint...
CVE-2022-3512 Lock WARP switch bypass using warp-cli 'add-trusted-ssid' command
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint...
CVE-2022-3512 Lock WARP switch bypass using warp-cli 'add-trusted-ssid' command
Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint...