CVE-2024-45037

{"id": "CVE-2024-45037", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}]}, "published": "2024-08-27T19:15:17.583", "references": [{"url": "https://docs.aws.amazon.com/cdk/v2/guide/home.html", "source": "security-advisories@github.com"}, {"url": "https://github.com/aws/aws-cdk/commit/4bee768f07e73ab5fe466f9ad3d1845456a0513b", "source": "security-advisories@github.com"}, {"url": "https://github.com/aws/aws-cdk/releases/tag/v2.148.1", "source": "security-advisories@github.com"}, {"url": "https://github.com/aws/aws-cdk/security/advisories/GHSA-qj85-69xf-2vxq", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Customers use it to create their own applications which are converted to AWS CloudFormation templates during deployment to a customer\u2019s AWS account. CDK contains pre-built components called \"constructs\" that are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure more efficiently than writing raw CloudFormation templates. We identified an issue in AWS Cloud Development Kit (CDK) which, under certain conditions, can result in granting authenticated Amazon Cognito users broader than intended access. Specifically, if a CDK application uses the \"RestApi\" construct with \"CognitoUserPoolAuthorizer\" as the authorizer and uses authorization scopes to limit access. This issue does not affect the availability of the specific API resources. Authenticated Cognito users may gain unintended access to protected API resources or methods, leading to potential data disclosure, and modification issues. Impacted versions: >=2.142.0;<=2.148.0. A patch is included in CDK versions >=2.148.1. Users are advised to upgrade their AWS CDK version to 2.148.1 or newer and re-deploy their application(s) to address this issue."}, {"lang": "es", "value": "El kit de desarrollo de la nube (CDK) de AWS es un framework de c\u00f3digo abierto para definir la infraestructura de la nube mediante c\u00f3digo. Los clientes lo utilizan para crear sus propias aplicaciones que se convierten en plantillas de AWS CloudFormation durante la implementaci\u00f3n en la cuenta de AWS del cliente. CDK contiene componentes predise\u00f1ados llamados \"construcciones\" que son abstracciones de nivel superior que proporcionan valores predeterminados y mejores pr\u00e1cticas. Este enfoque permite a los desarrolladores utilizar lenguajes de programaci\u00f3n familiares para definir una infraestructura de nube compleja de manera m\u00e1s eficiente que escribir plantillas de CloudFormation sin procesar. Identificamos un problema en el kit de desarrollo de la nube (CDK) de AWS que, bajo ciertas condiciones, puede dar lugar a que se otorgue a los usuarios autenticados de Amazon Cognito un acceso m\u00e1s amplio del previsto. Espec\u00edficamente, si una aplicaci\u00f3n CDK usa la construcci\u00f3n \"RestApi\" con \"CognitoUserPoolAuthorizer\" como autorizador y usa alcances de autorizaci\u00f3n para limitar el acceso. Este problema no afecta la disponibilidad de los recursos API espec\u00edficos. Los usuarios autenticados de Cognito pueden obtener acceso no deseado a recursos o m\u00e9todos de API protegidos, lo que puede generar problemas de modificaci\u00f3n y divulgaci\u00f3n de datos. Versiones afectadas: &gt;=2.142.0;&lt;=2.148.0. Se incluye un parche en las versiones CDK &gt;=2.148.1. Se recomienda a los usuarios que actualicen su versi\u00f3n de AWS CDK a 2.148.1 o m\u00e1s reciente y vuelvan a implementar sus aplicaciones para solucionar este problema."}], "lastModified": "2024-08-28T12:57:39.090", "sourceIdentifier": "security-advisories@github.com"}