CVE-2023-35165

CVSS Score of 10 (low)

Details

Published Jun 23, 2023
Updated: Jul 6, 2023
CWE ID 863

Summary

CVE-2023-35165 describes a vulnerability in the AWS Cloud Development Kit (AWS CDK) versions 2.0.0 until 2.80.0 and 1.57.0 until 1.202.0, specifically in the `eks.Cluster` and `eks.FargateCluster` constructs that create two roles with overly permissive trust policies. The 'CreationRole' is used by lambda handlers to create the cluster and deploy Kubernetes resources, while the 'default MastersRole' has permissions to execute `kubectl` commands on the cluster. Users with CDK versions higher or equal to 1.62.0 may be affected by the CreationRole issue, while users with CDK versions higher or equal to 1.57.0 may be affected by the default MastersRole issue. The vulnerability has been fixed in `@aws-cdk-lib`. This vulnerability poses a high risk to organizations as it allows unauthorized access and control over AWS resources, potentially leading to data breaches or system compromise if exploited by malicious actors. Note: The provided information is based on the given text and does not include any additional external sources for analysis beyond what was provided in the original text.

Share

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-35165 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options