Wiz got RCE on the cloud version of Github.com and access to every customer environment.
-
Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.
@GossiTheDog You're describing the Microsoft method
-
Wiz got RCE on the cloud version of Github.com and access to every customer environment.
To do this they just reversed the on prem version and found a simple vuln.
@GossiTheDog Here's a non-Twitter link: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
-
Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.
@GossiTheDog Can I quote you on that?
-
R relay@relay.infosec.exchange shared this topic
-
Wiz got RCE on the cloud version of Github.com and access to every customer environment.
To do this they just reversed the on prem version and found a simple vuln.
@GossiTheDog A header injection? In *this* economy?!
-
Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.
@GossiTheDog Totally
-
@GossiTheDog A header injection? In *this* economy?!
@henryk @GossiTheDog I was hoping for an exciting eyploit and was left rather disappointed
-
Wiz got RCE on the cloud version of Github.com and access to every customer environment.
To do this they just reversed the on prem version and found a simple vuln.
@GossiTheDog Oh, phew. I thought this was an RCE impacting Wiz lightbulbs.
-
Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.
@GossiTheDog at least while I’m in charge of issuing CVEs, we won’t do this.
-
@xconde @GossiTheDog as long as they also check for abuse of the exploit and Inform you about it. Which would be handy to have a cve number attached to the report.
So, they should still fix and then notify but can't just say "cloud is not affected" if they mean, "cloud is no longer vulnerable" -
Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.
@GossiTheDog It’s a very Bill Clinton “depends on the meaning of the word ‘is’” approach to truth.
-
Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.
@GossiTheDog They explicitly say so in their blog post, so ... ?
-
Wiz got RCE on the cloud version of Github.com and access to every customer environment.
To do this they just reversed the on prem version and found a simple vuln.
@GossiTheDog this is massive, have Github made a public response?
