high

AWS AppSync confused deputy via ServiceRoleArn

Published Mon, Nov 21st, 2022

Platforms

Summary

The AWS AppSync service could be coerced to assume arbitrary roles in other customers' accounts which trusted the AppSync service. This was due to insufficient validation of a serviceRoleArn parameter (caused by a case-sensitivity parsing issue). With this vulnerability, if an adversary knew the ARN of the role associated with AppSync in the target account, they could use it invoke arbitrary AWS API calls.

Affected Services

AppSync

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosure/https://aws.amazon.com/security/security-bulletins/AWS-2022-009/

Contributed by https://github.com/frichetten

Entry Status

Finalized

Disclosure Date

Thu, Sep 1st, 2022

Exploitablity Period

Until 2022/09/06

Known ITW Exploitation

Detection Methods

Suspicious calls from roles assumed by the AppSync service.

Piercing Index Rating

9.19

(PI:1.5/A1:20/A2:1.1/A7:1.1/A8:1.1)

Discovered by

Nick Frichette, Datadog

More vulnerabilities...

medium

Azure Devops account takeover via dangling subdomain takeover

Binary Security discovered and registered two dangling cloudapp.azure.com subdomains corresponding to subdomains at visualstudio.com. Had these been discovered and registered by an attacker, this w...

Christian August Holm Hanse...

Mon, Nov 7th, 2022

medium

CosMiss

Cosmos DB notebooks lacked an authentication check, meaning that if an attacker somehow had prior knowledge of a notebook’s temporary ‘forwardingId’ (a 128bit cryptographically random GUID assigned...

Lidor Ben Shitrit, Roee Sag...

Tue, Nov 1st, 2022

medium

Azure CLI code injection vulnerability

Azure CLI contained a code injection vulnerability that could be exploited in a scenario where the host runs a command where parameter values have been provided by an external untrusted source - th...

Microsoft

Tue, Oct 25th, 2022

View all