Goal:

List of all the Publicly disclosed vulnerabilities of Public Cloud Provider like Amazon Web Services (AWS), Microsoft Azure, Google Cloud, Oracle Cloud, IBM Cloud etc

NOTE: This list will not cover any data breaches caused by misconfiguration

Table of contents

• Contribute
• Cloud Security Provider Vulnerabilites
  • Amazon Web Services (AWS)
  • Microsoft Azure
  • Google Cloud
  • Oracle Cloud
  • IBM Cloud
  • All Cloud
• Useful Links
  • Security Bulletin
  • Vulnerability Disclosure

Contribute

Do you want to contribute to this list? Feel free to send a PR.

Cloud Service Provider Vulnerabilites

Amazon Web Services (AWS)

• AWS: Execution in CloudFormation service account – Published: 26 August,2020 – Status: RESOLVED
• AWS IAM Cross Account – Published: 4 August,2021 – Status: RESOLVED
• AWS SageMaker Notebook – Published: 7 December,2021 – Status: RESOLVED
• Breaking Formation: AWS Cloudformation– Published: 13 Jan,2022 – Status: RESOLVED
• SuperGlue: AWS Glue – Published: 13 Jan,2022 – Status: RESOLVED

Microsoft Azure

• ChaosDB:Azure Cosmos DB – Published: 7 August,2021 – Status: RESOLVED
• Azure: Azurescape – Published: 9 September,2021 – Status: RESOLVED
• OMIGOD:Microsoft Open Management Infrastructure (OMI) – Published: 14 September,2021 – Status: RESOLVED
• NotLegit: Azure App Service – Published: 21 December,2021 – Status: RESOLVED
• ExtraReplica:Azure PostgreSQL – Published: 28 April,2022 – Status: RESOLVED
• AutoWrap: Azure Automation – Published: 7 March,2021 – Status: RESOLVED
• Synapse: Azure Synapse Analytics – Published: 9 May,2021 – Status: PARTIAL(requires User Caution)

Google Cloud

Oracle Cloud

IBM Cloud

All Cloud

• sudo vulnerability – Published 6 August,2021 – Status: PARTIAL (requires User Caution)
• Dynamic DNS – Published 6 August,2021 – Status: PARTIAL (requires User Caution)
• Log4Shell – Published 13 December,2021 – Status: Resolved
• Spring4Shell – Published 13 March,2022 – Status: Resolved

Useful Links

Security Bulletin

• Amazon Web Services (AWS) – (link)
• Microsoft – (link)
• Google Cloud – (link)

Vulnerability Disclosure

All identified vulnerabilities should be disclosed to the vendors/maintainers of affected software or hardware systems directly. All major cloud providers have published disclosure addresses

• AWS – (link)
• Azure – (link)
• Google GCP – (link)
• Oracle OCI – (link).

Awesome Community Links

• Toni De La Fuente – My-Arsenal-of-aws-security-tools
• Scott Piper – csp_security_mistakes