Summary
CVE-2024-37293 affects the AWS Deployment Framework's bootstrap process, potentially allowing privilege escalation if an actor has permissions to change CodeBuild projects or Lambda functions. The issue is fixed in version 4.0 and above. AWS recommends immediate upgrade and temporary mitigation by adding a permissions boundary to roles created by ADF in the management account.
Affected Services
AWS Deployment Framework
Remediation
Upgrade to ADF version 4.0 or above. As temporary mitigation, add a permissions boundary to roles created by ADF in the management account, denying all IAM and STS actions until upgrading or bootstrapping a new account.
Tracked CVEs
CVE-2024-37293
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
-
Exploitablity Period
Until 2024/06/11
Known ITW Exploitation
-
Detection Methods
Check the version of AWS Deployment Framework in use. Monitor for unauthorized changes to CodeBuild projects or Lambda functions associated with ADF bootstrap process.
Piercing Index Rating
-
Discovered by
Xidian University
