|
|
|
|
|
|
by kolme
648 days ago
|
|
|
Yes, that first part was not. But the article continues like this: - they use that credentials to make a commit adding malicious code to the CI pipeline - The rouge pipeline job adds their public SSH key to the `.allowed_keys` file in the production server As the pipeline is run automatically on push, they get ssh access to the remote server. That is the "CI / CD Pipelines" bit. That being said, it's a bit underwhelming, because given the title I though they were going to exploit a bug in the CI/CD software itself. I don't know if I'd call that "exploiting" CI/CD software. |
|
|