CVE-2023-35165

Summary

CVE-2023-35165 describes a vulnerability in the AWS Cloud Development Kit (AWS CDK) versions 2.0.0 until 2.80.0 and 1.57.0 until 1.202.0, specifically in the `eks.Cluster` and `eks.FargateCluster` constructs that create two roles with overly permissive trust policies. The 'CreationRole' is used by lambda handlers to create the cluster and deploy Kubernetes resources, while the 'default MastersRole' has permissions to execute `kubectl` commands on the cluster. Users with CDK versions higher or equal to 1.62.0 may be affected by the CreationRole issue, while users with CDK versions higher or equal to 1.57.0 may be affected by the default MastersRole issue. The vulnerability has been fixed in `@aws-cdk-lib`. This vulnerability poses a high risk to organizations as it allows unauthorized access and control over AWS resources, potentially leading to data breaches or system compromise if exploited by malicious actors. Note: The provided information is based on the given text and does not include any additional external sources for analysis beyond what was provided in the original text.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.