In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Insertion of Sensitive Information into Log File vulnerabilities in an interactive lesson.
Start learningUpgrade aws-cdk-lib
to version 2.187.0 or higher.
aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the DescribeCognitoUserPoolClient
CDK API. A user with access to the account where logs for this user pool are stored, and read permissions on the associated lambda function logs, can see the secrets generated by other users' cognito.UserPoolClient
constructs.
Note: After upgrading, applications must be redeployed with the feature flag @aws-cdk/cognito:logUserPoolClientSecretValue
set to false to remediate this vulnerability.
This vulnerability can be avoided by setting Logging.withDataHidden()
.