low

AWS AppFlow secrets disclosure

Published Mon, Nov 6th, 2023
Platforms

Summary

AppFlow had an undocumented service called sandstoneconfigurationservicelambda. An undocumented field (awsOwnedManagedAppCredentialsArn) could be used during connector registration and connector updates. Specifying a victim's Secret ARN as that field disclosed the clientId and clientSecret, so long as the victim Secret ARN belonged to a connection profile which is of the type OAuth or contains clientId and clientSecret.

Affected Services

AppFlow

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Sat, Jun 24th, 2023
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ronin