Vulnerabilities tagged "cloud"

runc/libcontainer: insecure handling of null-bytes in bind mount sources

Basic idea here is that you could mount unintended paths due to embeding null-bytes in acceptable mount and generally improper handling of null-bytes within a mount source.While Go does not provide any special handling for strings containing null bytes, the `send_mountsources` written in C just iterates over the provided message mounting every null-terminated substring and passes the resultant fds to the child...

SSRF vulnerability in AppSheet - Google VRP

Server-Side Request Forgery (SSRF) in the AppSheet product, an acquisition by Google which is a "no-code" application generator.One feature is that a web-hook can be executed in respond to supported events...

AWS SageMaker Jupyter Notebook Instance Takeover

Starts off by detailing a self XSS through JupyterLabs Notebook's `/lab` endpoint, where an attacker can control the page contents.In and of itself this isn't an issue, an attacker can only control the page contents of a notebook instance they own...

Bypassing required reviews using GitHub Actions

An attacker with write access to the repository could bypass branch protection rules that require all pull requests undergo a code-review before being merged.The issue is just a logic issue rooted in the fact that firstly, anyone with write access can create an unprotected branch and define GitHub Actions for it, and secondly that a GitHub action can perform code reviews (though restrictions can be added on who the approved reviewers are)...

Three Apple CloudKit Vulnerabilities

Three bugs relating to insecurely configured CloudKit containers, the big one being the accidental deletion of all Apple Shortcuts, but also the ability to delete records on Apple News, and modify data used on the iCrowd+ website.

Cross-Account Container Takeover in Azure Container Instances

**tl;dr** Cool chain to escape and impact other containers on `Azure Container Instances` hosted by Kubernetes clusters (some are hosted by Service Fabric Clusters which are not vulnerable in this way), first is the container escape itself into the containing node/vm, followed by a leaked JWT useful to run commands against all nodes in the cluster.