Vulnerability	Vulnerable Version
L Improper Verification of Cryptographic Signature aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the `tls.connect` method setting `rejectUnauthorized` to false by default. An attacker can intercept and manipulate the data transmitted over the connection by exploiting the lack of proper TLS verification.ֿ Note The issuer URL is specified by CDK users when defining their CDK application. If they choose to connect to an unauthorized OIDC provider, CDK should not prevent this. Furthermore, the code block is executed within a Lambda environment, which helps mitigate the risk of MITM attacks. After upgrading to the fixed version, ensure the feature flag `@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections` is set to `true` in `cdk.context.json` or `cdk.json`. More details on AWS CDK feature flags setting can be found here. How to fix Improper Verification of Cryptographic Signature? Upgrade `aws-cdk-lib` to version 2.177.0 or higher.	<2.177.0
H Incorrect Privilege Assignment aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that `eks.Cluster` and `eks.FargateCluster` constructs create two roles that have an overly permissive trust policy. Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate `sts:AssumeRole` permissions to assume it. Note: Only `eks.Cluster` or `eks.FargateCluster` construct users are impacted. How to fix Incorrect Privilege Assignment? Upgrade `aws-cdk-lib` to version 2.80.0 or higher.	>=2.0.0 <2.80.0

Improper Verification of Cryptographic Signature

aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the tls.connect method setting rejectUnauthorized to false by default. An attacker can intercept and manipulate the data transmitted over the connection by exploiting the lack of proper TLS verification.ֿ

Note

The issuer URL is specified by CDK users when defining their CDK application. If they choose to connect to an unauthorized OIDC provider, CDK should not prevent this. Furthermore, the code block is executed within a Lambda environment, which helps mitigate the risk of MITM attacks.
After upgrading to the fixed version, ensure the feature flag @aws-cdk/aws-iam:oidcRejectUnauthorizedConnections is set to true in cdk.context.json or cdk.json. More details on AWS CDK feature flags setting can be found here.

How to fix Improper Verification of Cryptographic Signature?

Upgrade aws-cdk-lib to version 2.177.0 or higher.

<2.177.0

Incorrect Privilege Assignment

aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library

Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy. Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.

Note:

Only eks.Cluster or eks.FargateCluster construct users are impacted.

How to fix Incorrect Privilege Assignment?

Upgrade aws-cdk-lib to version 2.80.0 or higher.

>=2.0.0 <2.80.0

Go back to all versions of this package