VDB

GCVE-110-CLOUD-2024-0041

GCVE-110-CLOUD-2024-0041
Advisory Published
Vulnetix · Advisory published April 15, 2024
The AWS Amplify service was found to be misconfiguring IAM roles associated with Amplify projects. This misconfiguration caused these roles to be assumable by any other AWS account. Both the Amplify Studio and the Amplify CLI exhibited this behavior. Any Amplify project created using the Amplify CLI built between July 3, 2018 and August 8, 2019 had IAM roles that were assumable by anyone in the world. The same was true if the authentication component was removed from an Amplify project using the Amplify CLI or Amplify Studio built between August 2019 and January 2024. AWS mitigated this vulnerability through backend changes to STS and IAM, and also released a patch for the Amplify CLI to ensure that newly created roles are properly configured in accordance with these changes.

Affected Products

VendorProductVersionsPlatforms
AWSCloud Services
AWSAmplify
AWSAmplify, Cognito
AWSIAM
AWSConfig

References

advisory
advisory

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›