high

AWS AppSync confused deputy via ServiceRoleArn

Published Mon, Nov 21st, 2022
Platforms

Summary

The AWS AppSync service could be coerced to assume arbitrary roles in other customers' accounts which trusted the AppSync service. This was due to insufficient validation of a serviceRoleArn parameter (caused by a case-sensitivity parsing issue). With this vulnerability, if an adversary knew the ARN of the role associated with AppSync in the target account, they could use it invoke arbitrary AWS API calls.

Affected Services

AppSync

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Thu, Sep 1st, 2022
Exploitablity Period
Until 2022/09/06
Known ITW Exploitation
-
Detection Methods
Suspicious calls from roles assumed by the AppSync service.
Discovered by
Nick Frichette, Datadog