Skip to content

/ securitylab

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: CWE-798 - Hardcoded AWS credentials #129

Closed
luchua-bc opened this issue Jun 17, 2020 · 7 comments
Closed

Java: CWE-798 - Hardcoded AWS credentials #129

luchua-bc opened this issue Jun 17, 2020 · 7 comments
Labels
All For One

Comments

@luchua-bc
Copy link

@luchua-bc luchua-bc commented Jun 17, 2020

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

Cloud services are being increasingly used in recent years, and AWS is one of the most popular service providers.

Authentication to AWS services, for example, the popular S3 cloud storage service, using the BasicAWSCredentials class of the Amazon client SDK library with hardcoded access key/secret key in Java code is against best practices and violates CWE-798.

Other approaches offered by AWS including AWS credentials file, environment variables, or instance/container credentials are more secure thus shall be used instead.

For more information, please refer to the AWS Developer Guide.

Related PR #3729

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing
@luchua-bc
Copy link
Author

@luchua-bc luchua-bc commented Aug 5, 2020

@xcorail As the PR of this issue was approved and closed about four weeks ago, would you please close this issue when you have a chance? Thanks in advance for your help.

@luchua-bc
@ghsecuritylab
Copy link
Collaborator

@ghsecuritylab ghsecuritylab commented Aug 11, 2020

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
@ghsecuritylab
Copy link
Collaborator

@ghsecuritylab ghsecuritylab commented Aug 12, 2020

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
@ghsecuritylab
Copy link
Collaborator

@ghsecuritylab ghsecuritylab commented Aug 12, 2020

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
@xcorail
Copy link
Contributor

@xcorail xcorail commented Aug 12, 2020

Created Hackerone report 956967 for bounty 237854 : [129] Java: CWE-798 - Hardcoded AWS credentials 🎉
@xcorail xcorail closed this Aug 12, 2020
@ghsecuritylab
Copy link
Collaborator

@ghsecuritylab ghsecuritylab commented Aug 12, 2020

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed
@luchua-bc
Copy link
Author

@luchua-bc luchua-bc commented Aug 12, 2020

Thanks @xcorail for looking into the issue and the quick turn-around.

@luchua-bc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@xcorail @luchua-bc @ghsecuritylab
You can’t perform that action at this time.