An OpenID Connect (OIDC) implementation within a continuous integration/continuous deployment (CI/CD) environment can be vulnerable to exploitation by threat actors if not configured properly.
A problematic pattern was discovered in CircleCI’s OIDC implementation, allowing unauthorized access to restricted resources.
This kind of misconfiguration can grant unauthorized access to potentially sensitive resources, such as a company’s entire cloud environment.
To prevent this type of exploitation, rigorous validation of OIDC claims, as well as CI/CD security practices, need to be implemented.
Organizations should pay special attention to federation policies and custom claim formats during OIDC configuration to avoid such misconfigurations.
Further, CircleCI has issued a response explaining how it addressed the vulnerability and provided recommendations for improving security.
This report is accompanied by a presentation delivered at DEF CON 32 in August 2024.
The presentation is titled “Oh-My-DC” and is available to view online.
