Remote Cache Poisoning Vulnerability in Build Systems with Bucket-Based Storage
A critical security vulnerability exists in remote cache extensions for build systems using bucket-based remote caches like Amazon S3 and Google Cloud Storage. This vulnerability allows contributors with pull request access to inject compromised artifacts from untrusted environments into trusted production environments without detection. The flaw stems from a "first-to-cache wins" design principle, enabling attackers to poison the cache used by trusted environments through artifacts built in untrusted feature branches or pull requests. The attack circumvents traditional security protections such as encryption, access controls, and checksum validation by compromising artifacts during their initial construction phase, before any security measures can be applied.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
niklas portmann nx-remotecache-azure 0 |
||
niklas portmann nx-remotecache-minio 0 |
||
niklas portmann nx-remotecache-custom 0 |
||
nx s3-cache 0 |
||
nx gcs-cache 0 |
||
nx azure-cache 0 |
||
nx shared-fs-cache 0 |
||
niklas portmann azure based remote cache plugin for nx |
||
niklas portmann minio based remote cache plugin for nx |
||
niklas portmann nx remote cache utilities |
||
nx aws s3 remote cache plugin for nx |
||
nx gcs remote cache plugin for nx |
||
nx azure blob remote cache plugin for nx |
||
nx shared file system cache plugin for nx |
Vulmon