Vulnerability	Vulnerable Version
M Incorrect Default Permissions aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library Affected versions of this package are vulnerable to Incorrect Default Permissions in the IAM trust policy. A user with `sts:AssumeRole` permissions can escalate privileges to those defined by the IAM trust policy, including performing unauthorized actions on CloudFormation, CodeCommit, Lambda, and ECS. Note: After upgrading to the patched version, the feature flag `@aws-cdk/pipelines:reduceStageRoleTrustScope` must be set to true, and applications redeployed. How to fix Incorrect Default Permissions? Upgrade `aws-cdk-lib` to version 2.184.0 or higher.	<2.184.0
L Improper Verification of Cryptographic Signature aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the `tls.connect` method setting `rejectUnauthorized` to false by default. An attacker can intercept and manipulate the data transmitted over the connection by exploiting the lack of proper TLS verification.ֿ Note The issuer URL is specified by CDK users when defining their CDK application. If they choose to connect to an unauthorized OIDC provider, CDK should not prevent this. Furthermore, the code block is executed within a Lambda environment, which helps mitigate the risk of MITM attacks. After upgrading to the fixed version, ensure the feature flag `@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections` is set to `true` in `cdk.context.json` or `cdk.json`. More details on AWS CDK feature flags setting can be found here. How to fix Improper Verification of Cryptographic Signature? Upgrade `aws-cdk-lib` to version 2.177.0 or higher.	<2.177.0

Incorrect Default Permissions

aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library

Affected versions of this package are vulnerable to Incorrect Default Permissions in the IAM trust policy. A user with sts:AssumeRole permissions can escalate privileges to those defined by the IAM trust policy, including performing unauthorized actions on CloudFormation, CodeCommit, Lambda, and ECS.

Note: After upgrading to the patched version, the feature flag @aws-cdk/pipelines:reduceStageRoleTrustScope must be set to true, and applications redeployed.

How to fix Incorrect Default Permissions?

Upgrade aws-cdk-lib to version 2.184.0 or higher.

<2.184.0

Improper Verification of Cryptographic Signature

aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the tls.connect method setting rejectUnauthorized to false by default. An attacker can intercept and manipulate the data transmitted over the connection by exploiting the lack of proper TLS verification.ֿ

Note

The issuer URL is specified by CDK users when defining their CDK application. If they choose to connect to an unauthorized OIDC provider, CDK should not prevent this. Furthermore, the code block is executed within a Lambda environment, which helps mitigate the risk of MITM attacks.
After upgrading to the fixed version, ensure the feature flag @aws-cdk/aws-iam:oidcRejectUnauthorizedConnections is set to true in cdk.context.json or cdk.json. More details on AWS CDK feature flags setting can be found here.

How to fix Improper Verification of Cryptographic Signature?

Upgrade aws-cdk-lib to version 2.177.0 or higher.

<2.177.0

Go back to all versions of this package