CVE-2024-37293 affects the AWS Deployment Framework's bootstrap process, potentially allowing privilege escalation if an actor has permissions to change CodeBuild projects or Lambda functions. The issue is fixed in version 4.0 and above. AWS recommends immediate upgrade and temporary mitigation by adding a permissions boundary to roles created by ADF in the management account.
Affected Services
AWS Deployment Framework
Remediation
Upgrade to ADF version 4.0 or above. As temporary mitigation, add a permissions boundary to roles created by ADF in the management account, denying all IAM and STS actions until upgrading or bootstrapping a new account.
Check the version of AWS Deployment Framework in use. Monitor for unauthorized changes to CodeBuild projects or Lambda functions associated with ADF bootstrap process.