CVE-2023-50928 - OpenCVE

"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Amazon	Awslabs Sandbox Accounts For Events

Configuration 1 [-]

cpe:2.3:a:amazon:awslabs_sandbox_accounts_for_events:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79	Patch
https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-22T21:00:49.814Z

Updated: 2023-12-22T21:00:49.814Z

Reserved: 2023-12-15T20:57:23.174Z

Link: CVE-2023-50928

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-22T21:15:08.580

Modified: 2024-01-08T15:23:00.327

Link: CVE-2023-50928

JSON object: View

Redhat Information

No data.

CWE

CWE-284

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-50928", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-15T20:57:23.174Z", "datePublished": "2023-12-22T21:00:49.814Z", "dateUpdated": "2023-12-22T21:00:49.814Z"}, "containers": {"cna": {"title": " sandbox-accounts-for-events security misconfiguration leads to budget exceed", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r"}, {"name": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79", "tags": ["x_refsource_MISC"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79"}], "affected": [{"vendor": "awslabs", "product": "sandbox-accounts-for-events", "versions": [{"version": "< 1.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-22T21:00:49.814Z"}, "descriptions": [{"lang": "en", "value": "\"Sandbox Accounts for Events\" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0."}], "source": {"advisory": "GHSA-cg8w-7q5v-g32r", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:awslabs_sandbox_accounts_for_events:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC15DDF8-BE84-4B47-A804-CEF17DCC9722", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\"Sandbox Accounts for Events\" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0."}, {"lang": "es", "value": "Sandbox Accounts for Events proporciona m\u00faltiples cuentas temporales de AWS a varios usuarios autenticados simult\u00e1neamente a trav\u00e9s de una GUI basada en navegador. Los usuarios autenticados podr\u00edan reclamar y acceder a cuentas vac\u00edas de AWS enviando payloads de solicitud a la API de la cuenta que contienen identificadores de eventos inexistentes y un presupuesto y una duraci\u00f3n autodefinidos. Este problema solo afecta a las cuentas de AWS limpiadas; no es posible acceder a las cuentas de AWS en uso ni a los datos/infraestructura existentes. Este problema se solucion\u00f3 en la versi\u00f3n 1.1.0."}], "id": "CVE-2023-50928", "lastModified": "2024-01-08T15:23:00.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-22T21:15:08.580", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}