The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade awscli to version 1.44.78 or higher.
Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the _create_config path in awscli/customizations/codedeploy/register.py. An attacker can read the CodeDeploy on-premises configuration file by accessing it on the same Unix-like host after aws deploy register writes credential-bearing data, because the file is created with default open(..., 'w') permissions that can leave it world-readable. This exposes the region, IAM user ARN, access key ID, and secret access key to other local users, allowing them to reuse the credentials and impersonate the registered on-premises instance.
Notes
aws deploy register creates DEFAULT_CONFIG_FILE; with the common default umask, the file can end up mode 0644 and readable by other local users.aws deploy install --config-file, not to the general aws CLI profile/config file handling.Workarounds
aws deploy register only on hosts where other local users are trusted, or isolate the registration on a single-user machine, to prevent same-host users from reading the generated CodeDeploy configuration file and reusing the embedded credentials.DEFAULT_CONFIG_FILE so only the intended account can read it, to prevent disclosure of the region, IAM user ARN, access key ID, and secret access key to other local users.