How We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories

research.kudelskisecurity.com

cross-posted to:
hackernews

How We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories

research.kudelskisecurity.com

Pro@programming.devM to

Technology@programming.devEnglish · 20 days ago

cross-posted to:
hackernews

In this blog post, we explain how we got remote code execution (RCE) on CodeRabbit’s production servers, leaked their API tokens and secrets, how we could have accessed their PostgreSQL datab…

Black Hat USA presentation.

Comments

Hackernews

In this blog post, we explain how we got remote code execution (RCE) on CodeRabbit’s production servers, leaked their API tokens and secrets, how we could have accessed their PostgreSQL database, and how we obtained read and write access to 1 million code repositories, including private ones.

You must log in or register to comment.

Chat

Technology@programming.dev

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !Technology@programming.dev

Share interesting Technology news and links.

Rules:

No paywalled sites at all.
News articles has to be recent, not older than 2 weeks (14 days).
No external video links, only native(.mp4,…etc) links under 5 mins.
Post only direct links.

To encourage more original sources and keep this space commercial free as much as I could, the following websites are Blacklisted:

Al Jazeera;
NBC;
CNBC;
Substack;
Tom’s Hardware;
ZDNet;
TechSpot;
Ars Technica;
Vox Media outlets, with exception for Axios;
Engadget;
TechCrunch;
Gizmodo;
Futurism;
PCWorld;
ComputerWorld;
Mashable;
Hackaday;
WCCFTECH;
Neowin.

More sites will be added to the blacklist as needed.

Encouraged:

Archive links in the body of the post.
Linking to the direct source, instead of linking to an article talking about the source.

Misc:

Relevant Communities:

Beehaw Technology- Technology Related Discussions.
lemmy.zip Technology- Hard Tech news.

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

2 users / day
2 users / week
9 users / month
9 users / 6 months
0 local subscribers
532 subscribers
520 Posts
0 Comments
Modlog

mods:
Pro@programming.dev