VDB
GCVE-110-CLOUD-2023-0037
GCVE-110-CLOUD-2023-0037
Advisory Published
An AWS-recommended IAM policy that enforced MFA on access keys could have been bypassed
due to a change implemented by AWS in November 2022 that allowed IAM users to assign
multiple MFA devices to their account. Prior to this change, an attacker that had compromised
credentials could not create and assign a new MFA device to bypass the MFA requirement as they
would need to first deactivate the user’s existing MFA device. Organisations using SSO which
enforces MFA, either via an external IdP or AWS SSO, were not affected by this issue.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| AWS | AWS IAM | — | — |
| AWS | IAM | — | — |
Browse GCVE Records
73,443 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.