VDB

GCVE-110-CLOUD-2023-0037

GCVE-110-CLOUD-2023-0037
Advisory Published
Vulnetix · Advisory published April 25, 2023
An AWS-recommended IAM policy that enforced MFA on access keys could have been bypassed due to a change implemented by AWS in November 2022 that allowed IAM users to assign multiple MFA devices to their account. Prior to this change, an attacker that had compromised credentials could not create and assign a new MFA device to bypass the MFA requirement as they would need to first deactivate the user’s existing MFA device. Organisations using SSO which enforces MFA, either via an external IdP or AWS SSO, were not affected by this issue.

Affected Products

VendorProductVersionsPlatforms
AWSAWS IAM
AWSIAM

References

advisory
advisory

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›