|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
在 Google Cloud、Azure 和 AWS 命令列介面工具中發現了一個名為「LeakyCLI」(CVE-2023-36052) 的高嚴重性漏洞。此缺陷會導致 GitHub Actions、TravisCI、CircleCI 和 Cloud Build 日誌中的存取權杖和敏感資訊意外洩漏。威脅參與者可以利用此漏洞來存取儲存庫擁有者的憑證和敏感資源。
High-Severity Vulnerability in LeakyCLI Tools Exposes Sensitive Information in Google Cloud, Azure, and AWS
LeakyCLI 工具中的高嚴重性漏洞暴露了 Google Cloud、Azure 和 AWS 中的敏感訊息
A critical vulnerability has been discovered in the command line interface (CLI) tools of Google Cloud, Azure, and Amazon Web Services (AWS), exposing sensitive information to unauthorized access. Dubbed "LeakyCLI," the flaw threatens organizations' security by potentially compromising confidential data.
Google Cloud、Azure 和 Amazon Web Services (AWS) 的命令列介面 (CLI) 工具中發現了一個嚴重漏洞,導致敏感資訊遭到未經授權的存取。該漏洞被稱為“LeakyCLI”,可能會洩露機密數據,從而威脅組織的安全。
Tracked as CVE-2023-36052, the vulnerability allows adversaries to access unintended access tokens and sensitive information, including credentials, usernames, and keys. This information could grant attackers the ability to access any resources available to the repository owners, leading to further malicious activity.
此漏洞編號為 CVE-2023-36052,允許攻擊者意外存取存取令牌和敏感訊息,包括憑證、使用者名稱和金鑰。此資訊可能使攻擊者能夠存取儲存庫所有者可用的任何資源,從而導致進一步的惡意活動。
A report from cybersecurity firm Orca Security highlights the exploitation of the vulnerability in GitHub projects on GitHub Actions, TravisCI, CircleCI, and Cloud Build logs. Researchers emphasize that the compromised environment variables can be used to view confidential information, including passwords.
網路安全公司 Orca Security 的一份報告強調了 GitHub Actions、TravisCI、CircleCI 和 Cloud Build 日誌中 GitHub 專案中漏洞的利用情況。研究人員強調,受損的環境變數可用於查看機密信息,包括密碼。
"If malicious actors gain access to these environment variables, they could potentially view sensitive information, including credentials such as passwords, usernames, and keys," said Roi Nisimi, a researcher at Orca Security.
Orca Security 研究員 Roi Nisimi 表示:“如果惡意行為者獲得對這些環境變量的訪問權限,他們就有可能查看敏感信息,包括密碼、用戶名和密鑰等憑證。”
Microsoft promptly addressed the bug in November. However, Amazon and Google consider the issue to be expected behavior, encouraging users to utilize dedicated secrets storage services.
微軟在 11 月立即修復了這個錯誤。然而,亞馬遜和谷歌認為該問題是預期行為,鼓勵用戶使用專用的秘密儲存服務。
Organizations are advised to take immediate action to mitigate this high-severity vulnerability. Regular software updates and the diligent use of secrets storage services are essential to protect sensitive data and prevent unauthorized access.
建議組織立即採取行動來緩解這項高嚴重性漏洞。定期軟體更新和勤奮使用秘密儲存服務對於保護敏感資料和防止未經授權的存取至關重要。
Experts recommend the following best practices to minimize risk:
專家建議採用以下最佳實踐來最大程度地降低風險:
- Keep software updated with the latest security patches.
- Utilize secrets management services to securely store and access sensitive credentials.
- Regularly review and audit system logs to detect any suspicious activity.
- Enforce strong password policies and enable multi-factor authentication.
By adhering to these guidelines, organizations can significantly reduce the likelihood of exploitation through the LeakyCLI vulnerability and safeguard their sensitive information from unauthorized access.
使用最新的安全性修補程式更新軟體。著降低LeakyCLI 漏洞被利用的可能性,並保護其敏感資訊免遭未經授權的存取。
免責聲明:info@kdj.com
The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!
If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.
-
- 俄羅斯擁抱比特幣:克里姆林宮繼續依賴頂級貨幣進行貿易融資
- 2024-12-26 01:40:01
- 根據最新的比特幣新聞,儘管與比特幣的關係苦樂參半,但俄羅斯政府仍繼續依賴頂級貨幣
-
- 看看過去一天的三大新聞報道
- 2024-12-26 01:15:02
- XRP 價格在聖誕夜轉為牛市
-
- 俄羅斯在外貿試驗數位金融資產(DFA),包括比特幣(BTC):財政部長
- 2024-12-26 01:05:02
- 一位高級政府官員表示,俄羅斯一直在根據該國立法積極試驗外貿中的數位金融資產(DFA)。