aws-cdk-lib@2.9.0 vulnerabilities

Version 2 of the AWS Cloud Development Kit library

  • latest version

    2.173.0

  • latest non vulnerable version

  • first published

    4 years ago

  • latest version published

    1 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the aws-cdk-lib package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Incorrect Privilege Assignment

    aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library

    Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy. Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it.

    Note:

    Only eks.Cluster or eks.FargateCluster construct users are impacted.

    How to fix Incorrect Privilege Assignment?

    Upgrade aws-cdk-lib to version 2.80.0 or higher.

    >=2.0.0 <2.80.0