| No keys attached: Exploring GitHub-to-AWS keyless authentication flaws |
|
|
|
| Hijacking Cloud CI/CD Systems for Fun and Profit |
|
|
|
| How We Found Another GitHub Action Environment Injection Vulnerability in a Google Project |
|
|
|
| Red team: Journey from RCE to have total control of cloud infrastructure |
|
|
|
| From GitHub To Account Takeover: Misconfigured Actions Place GCP & AWS Accounts At Risk |
|
|
|
| Exploiting misconfigured Google Cloud Service Accounts from GitHub Actions |
|
|
|
| Azure Devops CICD Pipelines - Command Injection With Parameters, Variables And A Discussion On Runner Hijacking |
|
|
|
| Stealing GitHub staff's access token via GitHub Actions |
|
|
|
| Identifying vulnerabilities in GitHub Actions & AWS OIDC Configurations |
|
|
|
| Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack |
|
|
|
| Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory |
|
|
|
| From Self-Hosted GitHub Runner to Self-Hosted Backdoor |
|
|
|
| How we Abused Repository Webhooks to Access Internal CI Systems at Scale |
|
|
|
| How to hack Github Actions |
|
|
|
| Zuckerpunch - Abusing Self Hosted Github Runners at Facebook |
|
|
|
| Google & Apache Found Vulnerable to GitHub Environment Injection |
|
|
|
| Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks |
|
|
|
| Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline |
|
|
|
| Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments |
|
|
|
| Unauthenticated Gitlab SSRF |
|
|
|
| "CI Knew There Would Be Bugs Here" — Exploring Continuous Integration Services as a Bug Bounty Hunter |
|
|
|
writeups.xyz
/
CI/CD