-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| aws-cdk-lib | npm | >= 2.37.0, < 2.187.0 | 2.187.0 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability existed in the UserPoolClient secret retrieval flow where:
This issue does not affect customers who are generating the secret value outside of the CDK as the secret is not referenced or logged.
To leverage this issue, an actor has to be authenticated in the account where logs of the custom resource Custom::DescribeCognitoUserPoolClient are accessible and have read-only permission for lambda function logs.
Users can review access to their log group through AWS CloudTrail logs to detect any unexpected access to read the logs.
Impacted versions: >2.37.0 and <=2.187.0
The patches are included in the AWS CDK Library release v2.187.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. To fully address this issue, users should rotate the secret by generating a new secret stored in AWS Secrets Manager. References to the secret will use the new secret on update.
When new CDK applications using the latest version are initialized, they will use the new behavior with updated logging.
Existing applications must upgrade to the latest version, change the feature flag (@aws-cdk/cognito:logUserPoolClientSecretValue) to false, redeploy the application to apply this fix and use the new implementation with updated logging behavior.
Users can override the implementation changing Logging to be Logging.withDataHidden(). For example define class CustomUserPoolClient extends UserPoolClient and in the new class define get userPoolClientSecret() to use Logging.withDataHidden().
Example
export class CustomUserPoolClient extends UserPoolClient {
private readonly customUserPool : UserPool;
private readonly customuserPoolClientId : string;
constructor(scope: Construct, id: string, props: UserPoolClientProps) {
super(scope, id, props);
this.customUserPool = new UserPool(this, 'pool', {
removalPolicy: RemovalPolicy.DESTROY,
});
const client = this.customUserPool.addClient('client', { generateSecret: true });
}
// Override the userPoolClientSecret getter to always return the secret
public get userPoolClientSecret(): SecretValue {
// Create the Custom Resource that assists in resolving the User Pool Client secret
const secretValue = SecretValue.resourceAttribute(new AwsCustomResource(
this,
'DescribeCognitoUserPoolClient',
{
resourceType: 'Custom::DescribeCognitoUserPoolClient',
onUpdate: {
region: cdk.Stack.of(this).region,
service: 'CognitoIdentityServiceProvider',
action: 'describeUserPoolClient',
parameters: {
UserPoolId: this.customUserPool.userPoolId,
ClientId: this.customUserPool,
},
physicalResourceId: PhysicalResourceId.of(this.userPoolClientId),
// Disable logging of sensitive data
logging: Logging.withDataHidden(),
},
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: [this.customUserPool.userPoolArn],
}),
installLatestAwsSdk: false,
},
).getResponseField('UserPoolClient.ClientSecret'));
return secretValue;
}
}
If you have any questions or comments about this advisory please contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Ongoing coverage of React2Shell