AWS Amplify CLI Vulnerability Could Have Led to Unauthorized Access to AWS Resources
CVE-2024-28056

9.8CRITICAL

Key Information:

Vendor: Amazon
Status: AWS Amplify CLI
Vendor: CVE Published:; 15 April 2024

What is CVE-2024-28056?

The AWS Amplify CLI versions before 12.10.1 have a vulnerability due to improper configuration of the IAM role trust policy associated with Amplify projects. When the Authentication component of an Amplify project is removed, the expected Condition property is omitted, allowing for the 'Effect' to default to 'Allow'. This oversight permits the sts:AssumeRoleWithWebIdentity action to be executed by unauthorized users, enhancing the risk of unauthorized access to AWS resources. This scenario can be particularly risky if an authorized AWS user mistakenly removes the Authentication component, potentially facilitating a security breach without the necessary conditions applied for safeguarding sensitive resources.

References

https://github.com/aws-amplify/amplify-cli/releases/tag/v...

https://github.com/aws-amplify/amplify-cli/commit/73b08dc...

https://github.com/aws-amplify/amplify-cli/blob/8ad57bf99...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2024
Vulnerability Reserved
Mar 1, 2024

Amazon

What is CVE-2024-28056?

References

CVSS V3.1

Timeline