Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken link pointing to an unclaimed S3 bucket #2099

Open
r-bartlett-gsa opened this issue Dec 18, 2024 · 4 comments · Fixed by #2101 or #2116
Open

Broken link pointing to an unclaimed S3 bucket #2099

r-bartlett-gsa opened this issue Dec 18, 2024 · 4 comments · Fixed by #2101 or #2116
Assignees
@jairoanaya
Labels
High priority

Comments

@r-bartlett-gsa
Copy link
Member

A public facing vulnerability has been identified via the GSA Vulnerability Disclosure Policy.

URL: https://github.com/GSA/challenges-and-prizes
Finding Details: It has been found that a broken link pointing to an unclaimed S3 bucket at https://github.com/GSA/challenges-and-prizes/blob/f90a91565672f1743691fde6210d13a2da0eb6d3/_all-challenges/living-stories-challenge.md
Severity: Low

Steps to reproduce:

  1. Navigate to https://github.com/GSA/challenges-and-prizes/blob/f90a91565672f1743691fde6210d13a2da0eb6d3/_all-challenges/living-stories-challenge.md

  2. Scroll down and observe that a link pointing to the nga-challenge S3 bucket is present:
    Image

  3. Clicking the link will open a new tab pointing to a bucket the hacker managed to claim
@r-bartlett-gsa r-bartlett-gsa added this to the Sprint 12/31/24 milestone Dec 18, 2024
@jairoanaya jairoanaya self-assigned this Dec 18, 2024
@jairoanaya jairoanaya mentioned this issue Dec 19, 2024
Merged
@jairoanaya jairoanaya linked a pull request Dec 19, 2024 that will close this issue
Fix Broken link pointing to an unclaimed S3 bucket #2101
Merged
@kkrug kkrug reopened this Dec 20, 2024
@r-bartlett-gsa
Copy link
Member Author

@jairoanaya This was reviewed on staging and can be pushed to prod. Thank you!

@r-bartlett-gsa r-bartlett-gsa linked a pull request Dec 31, 2024 that will close this issue
Undoing SRI, removing S3 reference #2116
Merged
@r-bartlett-gsa
Copy link
Member Author

@jairoanaya The broken link also needs to be removed from this branch: https://github.com/GSA/challenges-and-prizes/blob/f90a91565672f1743691fde6210d13a2da0eb6d3/_all-challenges/living-stories-challenge.md

@r-bartlett-gsa
Copy link
Member Author

@jairoanaya The broken link also needs to be removed from this branch: https://github.com/GSA/challenges-and-prizes/blob/f90a91565672f1743691fde6210d13a2da0eb6d3/_all-challenges/living-stories-challenge.md

@jairoanaya Checking in on this ^^^

@r-bartlett-gsa r-bartlett-gsa removed this from the Sprint 01/14/25 milestone Jan 15, 2025
@r-bartlett-gsa
Copy link
Member Author

Update from Jay: https://docs.google.com/document/d/1t6_2FNKp_MSDA00LWaKUfdPcdBxBQ8shhNjUwL3fYbY/edit?usp=sharing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jairoanaya jairoanaya

Labels
High priority
Projects
None yet
Milestone
No milestone
3 participants
@jairoanaya @kkrug @r-bartlett-gsa