Veracode Vulnerability DatabaseVERACODE:40967Overly Permissive Trust Policies
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
22.0%
aws-cdk is vulnerable to Overly Permissive Trust Policies. The vulnerability exists because the library’s CreationRole and the default MastersRole use the account root principal in their trust policy, which allows eks.Cluster and eks.FargateCluster construct clusters to create two roles that have an overly permissive trust policy.
| CPE | Name | Operator | Version |
|---|---|---|---|
| @aws-cdk/aws-eks | le | 1.201.0 | |
| aws-cdk-lib | le | 2.79.1 | |
| @aws-cdk/aws-eks | le | 1.201.0 | |
| aws-cdk-lib | le | 2.79.1 |
References
github.com/advisories/GHSA-rx28-r23p-2qc3
github.com/aws/aws-cdk/commit/0251d9ab8ce07b55d3dc3cafedd46d2d585586ed
github.com/aws/aws-cdk/commit/51f0193bf34cca8254743561a1176e3ca5d83a74
github.com/aws/aws-cdk/issues/25674
github.com/aws/aws-cdk/pull/25473
github.com/aws/aws-cdk/pull/25580
github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
22.0%