- CramHacks
- Posts
- [CramHacks] Newsletter #19: GitLab Account Takeover & PyTorch gets torched
[CramHacks] Newsletter #19: GitLab Account Takeover & PyTorch gets torched
CramHacks Chronicles: Key Insights On Software Supply Chain Risks
Kyle Kelly
January 17, 2024
🥳 Happy Monday! 🥳
Register for my talk on software supply chain security!
Software Supply Chain Security
HackerOne user asterion04 disclosed a critical vulnerability that, when exploited, can cause a user account password reset email to be delivered to an unverified email address.
👋 Exploitation doesn’t get much simpler than this. Proof-of-concepts can be found on GitHub (e.g., CVE-2023-7028).
👋 If you read last week’s newsletter, you should be familiar with the risk of using self-hosted runners on public repositories!
The Apache Software Foundation (ASF) reviews key metrics, specific vulnerabilities, and the most common ways users of the ASF projects were affected by security issues.
👋 I really appreciate the insight into how this foundation is managing these projects and security vulnerabilities. I did notice new initiatives, including metadata consistency and SBOMs.
Guillaume Quéré breaks down why, if you are using Docker mirrors, you should never list the remote registry first in a /etc/docker/daemon.json file. Doing so can easily result in pulling a malicious public package instead of a legitimate private one.
👋 A blog post by Alex Brisnan in 2021, Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, was actually my first introduction to software supply chain security attacks. Unfortunately, this is still largely an unsolved issue.
Until Next Time! 👋
Hey, you made it to the bottom – thanks for sticking around!
Questions, ideas, or want to chat? Slide into my inbox! 💌
Don’t hesitate to forward if someone could benefit from this.
See you next Monday!
-Kyle