CVE-2024-37293 – aws-deployment-framework's potential risk can lead to privilege escalation

https://notcve.org/view.php?id=CVE-2024-37293

The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations while taking advantage of services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit to alleviate the heavy lifting and management compared to a traditional CI/CD setup. ADF contains a bootstrap process that is responsible to deploy ADF's bootstrap stacks to facilitate multi-account cross-region deployments. The ADF bootstrap process relies on elevated privileges to perform this task. Two versions of the bootstrap process exist; a code-change driven pipeline using AWS CodeBuild and an event-driven state machine using AWS Lambda. • https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html https://github.com/awslabs/aws-deployment-framework/pull/732 https://github.com/awslabs/aws-deployment-framework/releases/tag/v4.0.0 https://github.com/awslabs/aws-deployment-framework/security/advisories/GHSA-mcj7-ppmv-h6jr • CWE-266: Incorrect Privilege Assignment •