@aws-cdk/aws-eks@1.179.0 vulnerabilities

The CDK Construct Library for AWS::EKS

Direct Vulnerabilities

Known vulnerabilities in the @aws-cdk/aws-eks package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Incorrect Privilege Assignment

@aws-cdk/aws-eks is a The CDK Construct Library for AWS::EKS

Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy. Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.

Note:

Only eks.Cluster or eks.FargateCluster construct users are impacted.

How to fix Incorrect Privilege Assignment?

Upgrade @aws-cdk/aws-eks to version 1.202.0 or higher.

>=1.57.0 <1.202.0