awscli@1.44.63

Universal Command Line Environment for AWS.

  • latest version

    1.45.47

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    7 hours ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the awscli package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Incorrect Permission Assignment for Critical Resource

    Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the _create_config path in awscli/customizations/codedeploy/register.py. An attacker can read the CodeDeploy on-premises configuration file by accessing it on the same Unix-like host after aws deploy register writes credential-bearing data, because the file is created with default open(..., 'w') permissions that can leave it world-readable. This exposes the region, IAM user ARN, access key ID, and secret access key to other local users, allowing them to reuse the credentials and impersonate the registered on-premises instance.

    Notes

    • On Unix-like systems, the vulnerable path depends on the process umask when aws deploy register creates DEFAULT_CONFIG_FILE; with the common default umask, the file can end up mode 0644 and readable by other local users.
    • The issue applies to the on-premises CodeDeploy registration flow that writes the credential-bearing instance config file for later use by aws deploy install --config-file, not to the general aws CLI profile/config file handling.

    Workarounds

    • Run aws deploy register only on hosts where other local users are trusted, or isolate the registration on a single-user machine, to prevent same-host users from reading the generated CodeDeploy configuration file and reusing the embedded credentials.
    • Restrict access to the generated CodeDeploy configuration file named by DEFAULT_CONFIG_FILE so only the intended account can read it, to prevent disclosure of the region, IAM user ARN, access key ID, and secret access key to other local users.

    How to fix Incorrect Permission Assignment for Critical Resource?

    Upgrade awscli to version 1.44.78 or higher.

    [,1.44.78)