add new issues

vulnerabilities/badbuild.yaml

@@ -0,0 +1,35 @@
+title: Bad.Build
+slug: badbuild
+cves: null
+affectedPlatforms:
+- GCP
+affectedServices:
+- Cloud Build
+image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/badbuild.jpg
+severity: Low
+discoveredBy:
+ name: Roi Nisimi
+ org: Orca Security
+ domain: orca.security
+ twitter: null
+publishedAt: 2023/07/18
+disclosedAt: null
+exploitabilityPeriod: null
+knownITWExploitation: false
+summary: |
+ An information disclosure vulnerability in the Google Cloud Build service could have
+ allowed an attacker to view sensitive logs if they had gained prior access to a GCP
+ environment and had permission to create a new Cloud Build instance (cloudbuild.builds.create)
+ or permission to directly impersonate the Cloud Build default service account (which is highly
+ privileged by design and therefore considered to be a known privilege escalation vector in GCP).
+ An attacker could then potentially use this information in order to better facilitate lateral movement,
+ privilege escalation or a supply chain attack by other means. This issue was due to excessive
+ permissions granted to the default service account created by Cloud Build, particularly access to
+ audit logs containing all project permissions (logging.privateLogEntries.list).
+manualRemediation: |
+ None required
+detectionMethods: null
+contributor: https://github.com/korniko98
+references:
+- https://cloud.google.com/build/docs/security-bulletins#GCP-2023-013
+- https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability/

vulnerabilities/power-platform-info-leak.yaml

@@ -0,0 +1,38 @@
+title: Power Platform Custom Code information disclosure
+slug: power-platform-info-leak
+cves: null
+affectedPlatforms:
+- Azure
+affectedServices:
+- Power Platform
+image: https://raw.githubusercontent.com/wiz-sec/open-cvdb/main/images/power-platform-info-leak.jpg
+severity: High
+discoveredBy:
+ name: Evan Grant
+ org: Tenable
+ domain: tenable.com
+ twitter: null
+publishedAt: 2023/08/04
+disclosedAt: 2023/03/30
+exploitabilityPeriod: null
+knownITWExploitation: false
+summary: |
+ A vulnerability in Power Platform could lead to unauthorized access to Custom
+ Code functions used for custom connectors, thereby allowing cross-tenant information
+ disclosure of secrets or other sensitive information if these were embedded in a
+ Custom Code function. The issue occurred as a result of insufficient access control
+ to Azure Function hosts, which are launched as part of the creation and operation of
+ custom connectors in Microsoft’s Power Platform. An attacker who determined the
+ hostname of the Azure Function associated with the custom connector could interact
+ with the function without authentication. Microsoft fixed the issue by requiring Azure
+ Function keys for accessing the Function hosts and their HTTP trigger. An initial fix
+ was deployed (on June 7th, 2023), but customers using affected Custom Code in a "soft
+ deleted state" (part of a data recovery mechanism) remained vulnerable until a later
+ fix was applied (on August 2nd, 2023).
+manualRemediation: |
+ None required
+detectionMethods: null
+contributor: https://github.com/korniko98
+references:
+- https://msrc.microsoft.com/blog/2023/08/microsoft-mitigates-power-platform-custom-code-information-disclosure-vulnerability/
+- https://www.tenable.com/security/research/tra-2023-25