32.Lock Code Circular

AWS has patched a vulnerability in its Elastic Container Registry (ECR) that was uncovered by Lightspin researcher Gafnit Amiga during an examination of AWS’s ECR APIs.

The vulnerability “allowed external actors to delete, update, and create ECR Public images, layers, and tags in registries and repositories that belong to other AWS Accounts, by abusing undocumented internal ECR Public API actions”.

An attacker would be able to plant malware in such projects, and ECR would present them as legitimate, enabling software supply chain attacks.

Elastic Container Registry’s Public Gallery hosts popular projects such as NGINX, Ubuntu Linux, Amazon Linux, and HashiCorp’s Consul.