CVE-2023-50928
sandbox-accounts-for-events security misconfiguration leads to budget exceed
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
"Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially claim and access empty AWS accounts by sending request payloads to the account API containing non-existent event ids and self-defined budget & duration. This issue only affects cleaned AWS accounts, it is not possible to access AWS accounts in use or existing data/infrastructure. This issue has been patched in version 1.1.0.
Sandbox Accounts for Events proporciona múltiples cuentas temporales de AWS a varios usuarios autenticados simultáneamente a través de una GUI basada en navegador. Los usuarios autenticados podrían reclamar y acceder a cuentas vacías de AWS enviando payloads de solicitud a la API de la cuenta que contienen identificadores de eventos inexistentes y un presupuesto y una duración autodefinidos. Este problema solo afecta a las cuentas de AWS limpiadas; no es posible acceder a las cuentas de AWS en uso ni a los datos/infraestructura existentes. Este problema se solucionó en la versión 1.1.0.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-12-15 CVE Reserved
- 2023-12-22 CVE Published
- 2024-01-09 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-cg8w-7q5v-g32r | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79 | 2024-01-08 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Amazon Search vendor "Amazon" | Awslabs Sandbox Accounts For Events Search vendor "Amazon" for product "Awslabs Sandbox Accounts For Events" | < 1.1.0 Search vendor "Amazon" for product "Awslabs Sandbox Accounts For Events" and version " < 1.1.0" | - |
Affected
|