VDB
GCVE-110-CLOUD-2024-0010
GCVE-110-CLOUD-2024-0010
Advisory Published
The AWS Cloud Development Kit (CDK) is a way of deploying infrastructure-as-code. The vulnerability involves AWS CDK’s use of a predictable S3 bucket name format
(cdk-{Qualifier}-assets-{Account-ID}-{Region}), where the default “random” qualifier (hnb659fds) is common and easily guessed. If an AWS customer deletes this bucket and reuses CDK,
an attacker who claims the bucket can inject malicious CloudFormation templates, potentially gaining admin access. Attackers supposedly only need the AWS account ID to prepare the bucket
in various regions, exploiting the default naming convention. However, it is important to note that the additional conditions greatly lower the likelihood of exploitation.
The victim must use the CDK, having deleted the bucket, and then subsequently attempt to deploy with the CDK. Making it so that even if there is a vulnerable account, it could be months,
if ever for the attack to work.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| AWS | S3 | — | — |
| AWS | Cloud Services | — | — |
| AWS | Cloud Development Kit (CDK) | — | — |
| AWS | CloudFormation | — | — |
| AWS | SES | — | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.