aws-cdk-lib@2.36.0 vulnerabilities

Version 2 of the AWS Cloud Development Kit library

Direct Vulnerabilities

Known vulnerabilities in the aws-cdk-lib package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Incorrect Privilege Assignment

aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library

Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy. Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.

Note:

Only eks.Cluster or eks.FargateCluster construct users are impacted.

How to fix Incorrect Privilege Assignment?

Upgrade aws-cdk-lib to version 2.80.0 or higher.

>=2.0.0 <2.80.0