forked from wiz-sec/open-cvdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes wiz-sec#289: AWS IAM validation bug
- Loading branch information
Showing
1 changed file
with
34 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
vulnerabilities/aws-iam-trust-policy-condition-evaluation-bug.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
title: AWS IAM Trust Policy Condition Evaluation Bug | ||
slug: aws-iam-trust-policy-condition-evaluation-bug | ||
cves: null | ||
affectedPlatforms: | ||
- AWS | ||
affectedServices: | ||
- IAM | ||
- STS | ||
image: https://plus.unsplash.com/premium_photo-1683275025932-70afaa30c3d5?q=80&w=1460&auto=format&fit=crop&ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D | ||
severity: Low | ||
discoveredBy: | ||
name: null | ||
org: Stedi | ||
domain: https://www.stedi.com | ||
twitter: null | ||
publishedAt: 2024/04/09 | ||
disclosedAt: 2023/06/20 | ||
exploitabilityPeriod: null | ||
knownITWExploitation: false | ||
summary: | | ||
Tag variable names affected whether trust policy conditions were evaluated correctly. | ||
If the request tag referenced a principal tag called MemberRole in the JWT token, and | ||
the IAM role referenced a resource tag with the same variable name, the condition was | ||
always evaluated as true, regardless of whether the tag's values actually matched. Only | ||
role trust policies that used a variable substitution for both the request tag and the | ||
resource tag in the policy statement resulted in the policy evaluating incorrectly. The | ||
issue impacted statements within IAM boundary policies and SCP policies that contained | ||
the same pattern of STS role assumption with tag-based conditions. | ||
manualRemediation: | | ||
None required | ||
detectionMethods: null | ||
contributor: https://github.com/ramimac | ||
references: | ||
- https://www.stedi.com/blog/stedi-discovered-an-aws-access-vulnerability |