4 matches found
CVE-2023-35165
CVE-2023-35165 concerns the AWS CDK EKS trust policies. In affected releases of aws-cdk-lib (2.0.0–2.80.0) and @aws-cdk/aws-eks (1.57.0–1.202.0), eks.Cluster and eks.FargateCluster create two roles, CreationRole and default MastersRole, with overly permissive trust policies. The CreationRole is u...
CVE-2024-45037
The CVE affects the AWS CDK RestApi with CognitoUserPoolAuthorizer. Under certain conditions, authenticated Cognito users may gain access beyond what is intended to protected API resources/methods, though API availability is not affected. Affected CDK versions are >=2.142.0 and =2.148.1; upgra...
CVE-2025-23206
The CVE-2025-23206 issue affects AWS CDK (IAM OIDC custom resource workflow). The tls.connect call sets rejectUnauthorized: false, enabling potential MITM risk when downloading CA thumbprints. A patch is in progress; remediation guidance in the connected docs recommends upgrading to CDK v2.177.0 ...
CVE-2025-2598
CVE-2025-2598 (AWS CDK CLI) : When using the AWS CDK CLI with a credential plugin that returns an expiration property, credentials may be printed to console output. The issue is mitigated by upgrading to version 2.178.2 or later and patching any forked/derivative code. Public references indicate ...