VDB

GCVE-110-CLOUD-2023-0013

GCVE-110-CLOUD-2023-0013
Advisory Published
Vulnetix · Advisory published November 6, 2023
AppFlow had an undocumented service called sandstoneconfigurationservicelambda. An undocumented field (awsOwnedManagedAppCredentialsArn) could be used during connector registration and connector updates. Specifying a victim's Secret ARN as that field disclosed the clientId and clientSecret, so long as the victim Secret ARN belonged to a connection profile which is of the type OAuth or contains clientId and clientSecret.

Affected Products

VendorProductVersionsPlatforms
AWSConnect
AWSCloud Services
AWSAppFlow
AWSConfig
AWSLambda
AWSECR

References

advisory

Browse GCVE Records

72,580 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›