CVE-2023-35165 - OpenCVE

Vendors	Products
Amazon	Aws Cloud Development Kit

Link	Resource
https://github.com/aws/aws-cdk/issues/25674	Issue Tracking Mitigation Third Party Advisory
https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3	Exploit Mitigation Third Party Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-35165", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-14T14:17:52.179Z", "datePublished": "2023-06-23T20:32:49.392Z", "dateUpdated": "2023-06-23T20:32:49.392Z"}, "containers": {"cna": {"title": "AWS CDK EKS overly permissive trust policies", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3"}, {"name": "https://github.com/aws/aws-cdk/issues/25674", "tags": ["x_refsource_MISC"], "url": "https://github.com/aws/aws-cdk/issues/25674"}], "affected": [{"vendor": "aws", "product": "aws-cdk", "versions": [{"version": "aws-cdk-lib >= 2.0.0, < 2.80.0", "status": "affected"}, {"version": "@aws-cdk/aws-eks >= 1.57.0, < 1.202.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-23T20:32:49.392Z"}, "descriptions": [{"lang": "en", "value": "AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. \n \nThe first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected.\n \nThe second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn't provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected.\n\nThe issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role."}], "source": {"advisory": "GHSA-rx28-r23p-2qc3", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:aws_cloud_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE3015E1-9478-42F9-8796-5CB04BCDCCF6", "versionEndExcluding": "1.202.0", "versionStartIncluding": "1.57.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:amazon:aws_cloud_development_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D800851-B678-45C3-BB23-F1A9218D248F", "versionEndExcluding": "2.80.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. \n \nThe first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected.\n \nThe second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn't provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected.\n\nThe issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role."}], "id": "CVE-2023-35165", "lastModified": "2023-07-06T15:37:52.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-06-23T21:15:09.553", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://github.com/aws/aws-cdk/issues/25674"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/aws/aws-cdk/security/advisories/GHSA-rx28-r23p-2qc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

JSON object

JSON object

JSON object