VDB

GCVE-110-CLOUD-2022-0048

GCVE-110-CLOUD-2022-0048
Advisory Published
Vulnetix · Advisory published February 3, 2022
When customers attach a CodeBuild project to their VPC, CodeBuild’s build container will apply the same network routing rules as defined in the customer’s VPC Security Group. However, CodeBuild EC2 hosts retained Internet connectivity via AWS's own VPC, thus allowing an attacker to bypass any custom VPC rules the customer had set up, and use CodeBuild for data exfiltration from the targeted environment. AWS later updated the CodeBuild service to block all outbound network access for newly created CodeBuild projects which contain a customer-defined VPC configuration.

Affected Products

VendorProductVersionsPlatforms
AWSConnect
AWSCloud Services
AWSConfig
AWSCodeBuild
AWSEC2

References

advisory

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›