CVE-2023-50928

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-50928
"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.

9.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79 Patch
https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:awslabs_sandbox_accounts_for_events:*:*:*:*:*:*:*:*
History

08 Jan 2024, 15:23

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.1 		v2 : unknown
v3 : 9.0
References () https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79 - () https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79 - Patch
References () https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r - () https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r - Third Party Advisory
First Time Amazon awslabs Sandbox Accounts For Events
Amazon
CPE cpe:2.3:a:amazon:awslabs_sandbox_accounts_for_events:*:*:*:*:*:*:*:*
Summary
  • (es) Sandbox Accounts for Events proporciona múltiples cuentas temporales de AWS a varios usuarios autenticados simultáneamente a través de una GUI basada en navegador. Los usuarios autenticados podrían reclamar y acceder a cuentas vacías de AWS enviando payloads de solicitud a la API de la cuenta que contienen identificadores de eventos inexistentes y un presupuesto y una duración autodefinidos. Este problema solo afecta a las cuentas de AWS limpiadas; no es posible acceder a las cuentas de AWS en uso ni a los datos/infraestructura existentes. Este problema se solucionó en la versión 1.1.0.

22 Dec 2023, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-12-22 21:15

Updated : 2024-01-08 15:23

NVD link : CVE-2023-50928

Mitre link : CVE-2023-50928

CVE.ORG link : CVE-2023-50928

JSON object : View

Products Affected

amazon

  • awslabs_sandbox_accounts_for_events
CWE
CWE-284

Improper Access Control