Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.
What happens when you tell a server to treat the `Content-Length` header as a hop-by-hop header and remove it? Request smuggling.
Just what can be accomplished when webhooks are allowed to access internal services, Cider Security takes a look specifically at abusing GitHub and GitLab webhooks to access internally hosted Jenkin instances.
Five vulnerabilities in Cloudflare Pages across 3 blog posts. Three vulns are command injection, one is a container escape, and one is a lack of access control.
Container escape within GitLab CI Runners abusing cgroup's `release_agent` functionality as CI jobs are allowed to mount file-systems.The `release_agent` is a script that will be executed when a cgroup heirachy becomes empty...
AWS provided a hot-patching service that would patch Java binaries against the Log4Shell vulnerability but that introduced a container escape.
Two issues, one being a race condition between validating a configuration is safe and using the configuration, the second an information disclosure where a user's Net-NTLMv2 hash could be disclosed.
Great oversight spotted by the Light Spin team in Amazon Relational Database Service's (RDS) PostGre service allowing for arbitrary file reading and ultimately disclosure of internal service credentials.
Server-Side Request Forgery with both server-side and client-sided impacts.
Simple container escape compared to several we've covered in the past, the `sysctls` passed into the `pinns` utility are delimited by a `+` which can be maliciously included in a value to inject otherwise blocked `sysctls`. There is some minimal validation on the `sysctls` being passed in to ensure the keys don't match any sensitive keys, however an attacker can set a value to `+sensitive.key=othervalue` to smuggle in a blocked option.