App Runner cross-tenant VPC connectors info leak

Published Mon, Apr 3rd, 2023


The API action ListVpcConnectorsForAccount did not properly validate the "AccountId" parameter that was passed to it. As a result, any account ID could be provided and the API would return the information for that account. This would leak minor information about the VPC configuration for App Runner in the account including the subnet ID, security group ID, and the VPC Connector ARN.

Affected Services

App Runner


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Tue, Feb 28th, 2023
Exploitablity Period
Until 2023/03/13
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Nick Frichette