// For flags

CVE-2023-50928

sandbox-accounts-for-events security misconfiguration leads to budget exceed

Severity Score

9.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.

Sandbox Accounts for Events proporciona múltiples cuentas temporales de AWS a varios usuarios autenticados simultáneamente a través de una GUI basada en navegador. Los usuarios autenticados podrían reclamar y acceder a cuentas vacías de AWS enviando payloads de solicitud a la API de la cuenta que contienen identificadores de eventos inexistentes y un presupuesto y una duración autodefinidos. Este problema solo afecta a las cuentas de AWS limpiadas; no es posible acceder a las cuentas de AWS en uso ni a los datos/infraestructura existentes. Este problema se solucionó en la versión 1.1.0.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-12-15 CVE Reserved
  • 2023-12-22 CVE Published
  • 2024-01-09 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Amazon
Search vendor "Amazon"
Awslabs Sandbox Accounts For Events
Search vendor "Amazon" for product "Awslabs Sandbox Accounts For Events"
< 1.1.0
Search vendor "Amazon" for product "Awslabs Sandbox Accounts For Events" and version " < 1.1.0"
-
Affected