Miggo Logo

GHSA-qq4x-c6h6-rfxh:
aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct

6.5

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
CWE
-
Published
3/31/2025
Updated
3/31/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
aws-cdk-libnpm>= 2.37.0, < 2.187.02.187.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability existed in the UserPoolClient secret retrieval flow where:

  1. The userPoolClientSecret getter used AwsCustomResource to call DescribeUserPoolClient
  2. The original implementation lacked response data logging suppression
  3. The AWS SDK call response (including ClientSecret) was logged in CloudWatch
  4. The patch adds Logging.withDataHidden() to prevent sensitive data exposure
  5. The functions involved in the vulnerable data flow are the secret getter and the custom resource response handler

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** [*WS *lou* **v*lopm*nt Kit (**K)](*ttps://*ws.*m*zon.*om/**k/) is *n op*n-sour** *r*m*work *or ***inin* *lou* in*r*stru*tur* usin* *o**. *ustom*rs us* it to *r**t* t**ir own *ppli**tions w*i** *r* *onv*rt** to *WS *lou**orm*tion t*mpl

Reasoning

T** vuln*r**ility *xist** in t** Us*rPool*li*nt s**r*t r*tri*v*l *low w**r*: *. T** us*rPool*li*ntS**r*t **tt*r us** *ws*ustomR*sour** to **ll **s*ri**Us*rPool*li*nt *. T** ori*in*l impl*m*nt*tion l**k** r*spons* **t* lo**in* suppr*ssion *. T** *WS S