Full Report
And it's 'not unique to AWS,' researcher tells The Reg A critical misconfiguration in AWS's CodeBuild service allowed complete takeover of the cloud provider's own GitHub repositories and put every AWS environment in the world at risk, according to Wiz security researchers.…
Analysis Summary
# Vulnerability: AWS CodeBuild Unanchored Regex in Webhook Filters (CodeBreach)
## CVE Details
- CVE ID: Not explicitly mentioned in the summary, but the flaw was disclosed and fixed by AWS.
- CVSS Score: Not provided in the summary. Likely High/Critical given the potential impact described.
- CWE: CWE-180 (Improper Neutralization of Special Elements in an Output Context, potentially related to unsanitized regex behavior) or CWE-20 (Improper Input Validation).
## Affected Systems
- Products: AWS CodeBuild service, specifically when configured to connect to GitHub repositories using webhooks.
- Versions: Internal AWS configurations that used an unanchored regular expression in the `ACTOR_ID` webhook filter list.
- Configurations: Public CodeBuild projects configured to run builds on pull requests using the `ACTOR_ID` webhook filter rule.
## Vulnerability Description
The vulnerability, dubbed "CodeBreach" by Wiz researchers, stemmed from a critical misconfiguration in AWS CodeBuild's GitHub webhook filters. Specifically, when using the `ACTOR_ID` filter (designed to allow only specific, trusted GitHub user IDs to trigger a build), the regular expression used was **unanchored** (lacking the start `^` and end `$` anchors).
This lack of anchoring allowed an attacker submitting a pull request to craft a malicious payload that *contained* one of the allowed Actor IDs anywhere in the request, thereby bypassing the intended security check and triggering an authorized CodeBuild run. This could grant an attacker administrative-level privileges to build pipelines, potentially leading to code execution within the build environment which handles sensitive tokens and builds core AWS infrastructure libraries.
## Exploitation
- Status: Proof of Concept (PoC) demonstrated by researchers; not reported as exploited in the wild by malicious actors prior to disclosure.
- Complexity: Low (Described as relying on "standard developer workflows - forking a repo and submitting a pull request - rather than sophisticated exploits").
- Attack Vector: Network (Via malicious GitHub Pull Request).
## Impact
- Confidentiality: High (Potential access to build secrets, tokens, and sensitive repository data).
- Integrity: Critical (Potential to inject backdoors into core AWS libraries, including the AWS SDK, potentially leading to compromise of the AWS Console itself).
- Availability: Medium (While direct service downtime isn't the primary goal, supply chain compromise has wide-ranging availability risks).
## Remediation
### Patches
- AWS fixed the issue starting in September (disclosed in August). The core fix was ensuring the regular expressions used in webhook filters were properly **anchored** (`^...$`) to enforce exact matches, mitigating the actor ID bypass.
### Workarounds
- AWS enacted "further protections of all build processes that contain Github tokens or any other credentials in memory."
- Auditing of all public build environments and associated logs (CloudTrail) was performed to ensure no similar flaws existed and that the vulnerability was not abused.
- **General Mitigation:** Developers using CI/CD systems (including GitHub Actions, Jenkins, or other cloud CI services) should ensure that all regex patterns used for event filtering or access control are properly anchored to prevent substring injection attacks.
## Detection
- Indicators of compromise: Unexpected build executions triggered by untrusted actors on sensitive repositories (especially build definition files or external contributor PRs).
- Detection methods and tools: Monitoring CodeBuild logs for successful builds triggered by pull requests where the commit author ID does not strictly match expected allow-lists, or inspecting the source code/configuration of CI pipelines for unanchored regular expressions in filtering logic.
## References
- Vendor advisories: AWS statement confirming remediation (via Wiz report).
- Relevant links - defanged:
- Search "CodeBreach Wiz AWS" for technical details.