high

Issue with AWS Deployment Framework

Published Tue, Jun 11th, 2024
Platforms

Summary

CVE-2024-37293 affects the AWS Deployment Framework's bootstrap process, potentially allowing privilege escalation if an actor has permissions to change CodeBuild projects or Lambda functions. The issue is fixed in version 4.0 and above. AWS recommends immediate upgrade and temporary mitigation by adding a permissions boundary to roles created by ADF in the management account.

Affected Services

AWS Deployment Framework

Remediation

Upgrade to ADF version 4.0 or above. As temporary mitigation, add a permissions boundary to roles created by ADF in the management account, denying all IAM and STS actions until upgrading or bootstrapping a new account.

Tracked CVEs

CVE-2024-37293

References

Entry Status
Stub (AI-Generated)
Disclosure Date
-
Exploitablity Period
Until 2024/06/11
Known ITW Exploitation
-
Detection Methods
Check the version of AWS Deployment Framework in use. Monitor for unauthorized changes to CodeBuild projects or Lambda functions associated with ADF bootstrap process.
Piercing Index Rating
-
Discovered by
Xidian University