- Explore Cisco IOS XE Automation at Cisco Live US 2025
- My top 5 picks for the best Memorial Day phone deals so far: Apple, Samsung, and more
- This smart ring is half the price of Oura Ring 4 and has no subscriptions - here's how it competes
- I highly recommend shopping these early health tracker Memorial Day deals
- The most reliable smart lock I've tested just hit one of its lowest prices ever
LeakyCLI Flaw Exposes AWS and Google Cloud Credentials
Security researchers have discovered a new vulnerability affecting command-line tools used in cloud environments.
Dubbed “LeakyCLI” by the Orca Security team, the flaw exposes sensitive credentials in logs, posing potential risks to organizations utilizing AWS and Google Cloud platforms.
The issue mirrors a previously identified vulnerability in Azure CLI (CVE-2023-36052, with a CVSS score of 8.6), which Microsoft addressed last November. Despite Microsoft’s fix, AWS and Google Cloud CLI remain susceptible to the same flaw.
The vulnerability arises from specific commands within these CLIs inadvertently exposing environment variables containing sensitive information.
Adversaries could exploit this exposure, potentially gaining access to critical credentials such as passwords and keys, thereby compromising resources within affected repositories. This risk is particularly pronounced in Continuous Integration and Continuous Deployment (CI/CD) pipelines.
“CLI commands are by default assumed to be running in a secure environment, but coupled with CI/CD pipelines, they may pose a security threat,” reads an advisory published by Orca today.
“This bypasses secret labeling, which aims to block sensitive exposure because the credentials that are printed back to stdout [the default stream where a program writes its output data] were never defined by the user during the automation setup.”
Orca promptly notified both Google and AWS upon discovery, yet both companies said they consider this behavior within expected design parameters. To mitigate the risk, Orca said organizations should refrain from storing secrets in environment variables, and instead retrieve them from dedicated secrets store services like AWS Secrets Manager.
By following proper protocols, organizations can safeguard against potential exploitation of vulnerabilities like LeakyCLI, thus ensuring the integrity and security of their cloud infrastructures.
Read more on cloud security here: NSA Launches Top 10 Cloud Security Mitigation Strategies
Image credit: nikkimeel / Shutterstock.com
